Researchers shine light on hackers-for-hire op that hit estate agent with malicious plugin for Autodesk 3ds Max
Attackers aimed to steal pics, vids, and compressed files
A hacker crew targeted a luxury estate agency involved in multimillion-pound property deals by deploying malicious plugins for 3D design software Autodesk 3ds Max as part of a potential hacks-for-hire operation.
The unnamed company was targeted by the criminals in what infosec firm Bitdefender called a "sophisticated APT-style cyberespionage attack".
While some of the hackers' command-and-control (C2) infrastructure was traced back to South Korea, Bitdefender hesitated to say that the hackers themselves hailed from the tech-savvy Asian nation.
"The Bitdefender investigation revealed the cybercriminal group infiltrated the company using a tainted and specially crafted plugin for Autodesk 3ds Max (popular software widely used in 3D computer graphics)," the company said in a statement.
Liviu Arsene, a global cybersecurity researcher from Bitdefender, added: "This doesn't seem to be a campaign targeting multiple victims, but a highly targeted attack going after a single victim. We currently don't know when the initial infection occurred, as our investigation started after the compromise. At the time our report was published, the command-and-control infrastructure was still active, potentially indicating that it's still being used by other malware."
As for the malware itself, once deployed into the target network it collects information from the host machine, takes screenshots, steals video, images and compressed files (zip, rar and so on), as well as capturing details of saved passwords and browsing history – and beaming all of those back to HQ. Bitdefender suspected the loader was capable of requesting other malicious binaries from the C2 infrastructure but were only able to obtain one sample during their investigation.
To hide itself from casual user inspection, the malware set a flag instructing itself to "sleep", thus pushing it down a list of system resource-consuming items if the user opened Windows Task Manager.
Autodesk itself warned of the malicious plugin, called PhysXPluginMfx, in an advisory note published a couple of weeks ago. The file, it warned users, "can corrupt 3ds Max software's settings, run malicious code, and propagate to other [.max files] on a Windows system if scene files containing the script are loaded into 3ds Max".
Bitdefender's Arsene concluded: "As cyber criminal groups are becoming more sophisticated and act more like mercenaries, it's likely they will continue making their services available to the highest bidders. This new APT-as-a-service business model seems to be the next evolutionary step in sophisticated attacks."
The full research report is available on Bitdefender's website as a PDF. ®