Security researchers from Bitdefender discovered a new hacker group that is currently targeting companies across the world with malware hidden inside malicious 3Ds Max plugins.
Autodesk 3ds Max, formerly 3D Studio and 3D Studio Max, is a professional 3D computer graphics program for making 3D animations, models, games and images. It is developed and produced by Autodesk Media and Entertainment. It has modeling capabilities and a flexible plugin architecture and must be used on the Microsoft Windows platform. I
3Ds Max is used by engineering, architecture, gaming, or software organizations.
In early August, Autodesk published a security alert warning about a malicious plugin named “PhysXPluginMfx,” it is a variant of the MAXScript exploit.
“A variant of a MAXScript exploit “PhysXPluginMfx” has been identified and a free plugin is now available in the Autodesk App Store to detect and remove the malicious code.” reads the security alert.
Upon loading the malicious plugin inside 3Ds Max, PhysXPluginMfx would execute malicious MAXScript operations to corrupt 3Ds Max settings, run malicious code, and even propagate to other MAX files.
According to Bitdefender, the plugin was designed to deploy a backdoor trojan that could be used to steal sensitive files from the infected systems.
Bitdefender researchers investigated at least one attack against an international architectural and video production company that has been collaborating in billion-dollar real estate projects in New York, London, Australia, and Oman.
“During the investigation, Bitdefender researchers found that threat actors had an entire toolset featuring powerful spying capabilities and made use of a previously unknown vulnerability in a popular software widely used in 3D computer graphics (Autodesk 3ds Max) to compromise the target.” reads the post published by BitDefender.
“Industrial espionage is nothing new, and, since the real estate industry is highly competitive, with contracts valued at billions of dollars, the stakes are high for winning contracts for luxury projects. This could justify turning to mercenary APT groups for gaining a negotiation advantage.”
The threat actor used a malware command and control (C&C) server that was located in South Korea.
“Looking through the telemetry of the C&C, we noticed that there are reports, which include some of the discovered .net assembly internal names found initially on the victims’ machine or downloaded from the C&C.” continues the report. “After analysis, we have managed to gather more tools, based on direct usage or based on common portions of code. Beside this, we have also noticed that all of them share the C&C address from the victim (address + port).”
Some of the samples analyzed by Bitdefender connected to the C&C server from countries South Korea, United States, Japan, and South Africa, a circumstance that suggests the hackers might have also targeted businesses in these countries.
The attackers also use malware to collect details about the compromised host and steal files with specific extensions.
According to the researchers, the attackers compile file-stealing component for each victim to include the list of files they want to steal.
To avoid detection, the malicious binary remains dormant if Task Manager or Performance Monitor were running.