A recent malware analysis report release for public knowledge in the cybercommunity was about exposing an APT group that plays as ‘hacker for hire’ for an unnamed company. Though rarely we heard the news about this type of activity, evidence shows that their target was an international designing company that works for a prominent real estate firm rather than their usual victim from a financial or government organization. Working for a reconnaissance project, the APT group considered this as a sure profit to them as the industry surrounding developing a real estate and winning the bid for their client talks about a tantamount of money.
The medium used to deliver the customized malware is the well-known architectural application Autodesk 3DS Max.
Adversaries ingenuity leads to developing a custom-built variant of their signature malware that they have injected into an updated plugin for Autodesk 3DS Max. The malware has a lethal attribute to bypass any security software detection through its sleep program. Also, a feature called HDcrawler gives the application capability to scan files with specific extensions following the needed requirement of their client. In this case, attachments such as jpg, .png, .zip, and other drawing or photo related extensions. Aside from its default capability of exfiltrating important system information, mentioned added features are exfiltration of software and hardware configuration, stealing stored data and credentials information, and recently accessed files, including browser activities in which collected information will be transferred to untraceable controlled data server of the APT group. Sending command and control execution through remote access code are also observed within the malware capability.
With the news of the vulnerability exploitation and with the aid of the analysis report, the developer of the Autodesk 3DS Max application was able to immediately release patch updates to halt and remove the malware that has been injected to their plugin. Autodesk 3DS Max users are strongly advised to immediately install it.
Further investigation concludes that the same modus of being hired was noted within the APT group activities in the past few months as a result of the conducted surveillance. The attack sinuated by the APT group shows its sophistication and well-crafted planning in executing the intrusion. This only proves that these adversaries are flexible and able to adapt to conditions to meet their financial goals. In this regard, everyone is expected to proactively ensure the security of important our essential files and system resources in battling these widespread malicious activities.