Autodesk 3Ds Max Flaw
Autodesk 3Ds Max is a 3D computer graphics package used by engineering, architecture and gaming firms. The program is used to create 3D animations, models, games and images. Autodesk was developed by Autodesk Media and Entertainment using a flexible plugin architecture and runs on Microsoft Windows systems. The hackers exploited a flaw in Autodesk’s MaxScript scripting language, which had been made public earlier in August. Autodesk had issued an advisory warning users of the flaw, which they named “PhysXPluginMFX”. The exploit corrupts 3Ds Max software settings so as to be able to run malicious code. The malicious code downloads and executes other files, collects information about the compromised systems and delivers malware. The exploit can also propagate to other files on Windows systems if files containing the malicious code are opened in 3Ds Max. The advisory also provided a fix for the flaw, stating: “Autodesk recommends 3ds Max users download the latest version of Security Tools for Autodesk 3ds Max 2021-2015SP1 available in the Autodesk App Store to identify and remove the PhysXPluginMfx MAXScript malware.”
Who Was the Victim?
The attack using PhysXPluginMFX was discovered by Bitdefender, a cybersecurity and anti-virus software company. The mercenary hackers’ contracted target was an international architectural and video production firm. According to a Bitdefender whitepaper, the firm “is engaged in architectural projects with billion-dollar luxury real-estate developers in New York, London, Australia and Oman.” The whitepaper does not name the firm but explains that the attack was an espionage campaign. The researchers credit the attack to a new APT mercenary group, due to the sophistication of the attack. Attacks by mercenary groups have occurred before. However, this is the first time such groups have been hired to target the real-estate industry. “Industrial espionage is nothing new and, since the real-estate industry is highly competitive, with contracts valued at billions of dollars, the stakes are high for winning contracts for luxury projects and could justify turning to mercenary APT groups for gaining a negotiation advantage,” the researchers explained. While the hackers successfully compromised the firm, it is unclear how much information they managed to exfiltrate.
The Technology Behind the Attack
Bitdefender researchers investigating the attack found that the hackers had created a specifically crafted malware plugin for Autodesk 3Ds Max to infiltrate the firm. Once inside, the hackers deployed malicious MAXScripts to collect data on the security systems used by the firm. They also ascertained what software the firm was using before attempting to exfiltrate valuable business information. Furthermore, to remain undetected, the malicious scripts became dormant while Task Manager or Performance Monitor were running. They then started up again when these two applications were down. In addition, the scripts delivered malware capable of stealing passwords and history data from Chrome and Firefox databases. One piece of malware used was HdCrawler, which lists, compresses and uploads specific files to C2 servers. Another was InfoStealer. This malware tool can screen capture and collect data such as usernames, IP addresses of network adapters and storage information. The researchers also discovered that the Command and Control (C & C aka C2) infrastructure used in the attack is located in South Korea. Furthermore, they believe it is likely the group has conducted similar attacks in the past but have remained undetected. “Based on Bitdefender’s telemetry, we also found other similar malware samples communicating with the same command and control server, dating back to just under a month ago. Located in South Korea, United States, Japan, and South Africa, it’s likely the cybercriminal group might have also been targeting select victims in these regions as well.”
Mercenary Hackers, a Recent Phenomenon
APT mercenary hackers are sophisticated threat actors with powerful espionage tools at their disposal. They have the knowledge and skills to execute stealthy accurate attacks on select contracted victims. They also have been known to offer their services to the highest bidder. The use of APT mercenary groups, although not a new phenomenon, has increased greatly during the past couple of years. Mercenary groups that have come to the fore recently include StrongPity, Dark Basin and Deceptikons (aka DeathStalker). StrongPity has been known to serve financial and military objectives and was recently associated with a potential Turkish military operation. The other two groups have allegedly acted on behalf of clients trying to discredit or infiltrate high-profile organizations. They are believed to have also acted for clients seeking negation details for lucrative contracts. Bitdefender warns “This is likely to become the new normal in terms of the commoditization of APT groups — not just state-sponsored actors, but by anyone seeking their services for personal gain, across all industries.”
