Researchers from security firm Bitdefender discovered a new cyber-espionage campaign that targets companies all over the world using malicious Autodesk 3Ds Max plugins.
3Ds Max is a professional 3D computer graphics program for making 3D animations, models, games and images developed and produced by Autodesk Media and Entertainment.
Earlier this month, Autodesk released a security advisory about a malicious plugin named "PhysXPluginMfx" that abused the MAXScript utility, which is shipped with 3Ds Max software. According to the company, PhysXPluginMfx is a MAXScript exploit, which “can corrupt 3ds Max software’s settings, run malicious code, and propagate to other MAX files (*.max) on a Windows system if scene files containing the script are loaded into 3ds Max.”
Bitdefender said the cybercriminal group targeted at least one company using a malicious 3Ds Max plugin. While investigating a recent sophisticated attack on an international architectural and video production company, currently engaged in architectural projects with billion-dollar luxury real-estate developers across four continents, the researchers found that the hackers compromised the company using a tainted and specially crafted plugin for Autodesk 3ds Max. They also found that command and control infrastructure used by the cybercriminal group to test their malicious payload was located in South Korea.
The investigation also revealed that the attackers had an entire toolset featuring powerful spying capabilities. The toolset consists of several components, namely HdCrawler (a binary responsible for listing, compressing and uploading a list of specific filer), an info-stealer which is able to capture screenshots and gather the system info such as the username, computername, the IP addresses of network adapters, Windows ProductName, version of the .NET Framework, information about the processors, ant other data.
“The sophistication of the attack reveals that the APT-style group had prior knowledge of the company’s security systems and used software applications, carefully planning their attack to infiltrate the company and exfiltrate data undetected,” Bitdefender said.
While Bitdefender was able to confirm only one attack, the researchers found samples of malware, which initiated connection to attackers’ command and control server from South Korea, the USA, Japan, and South Africa. This finding suggests that the number of victims could be much higher.
“While this is not the first incident in which APT mercenary groups have been potentially used to conduct espionage or coordinate with alleged military operations, these events have intensified during the past couple of years… This is likely to become the new normal in terms of the commoditization of APT groups - not just state-sponsored actors, but by anyone seeking their services for personal gain, across all industries,” the researchers said.