Hacker-for-hire group uses malicious 3Ds Max plugin to spread malware

APT hackers exploit 3Ds Max software to compromise computers of a luxury architecture firm

Hackers-for-hire group collecting information from companies to help competing firms to gain advantage. Report^[1] surfaced about the APT hacker-for-hire operations and techniques used for industrial espionage.^[2] Various companies got targeted by this group with malware that can steal proprietary information.^[3] Companies across the globe got targeted by this, what seems to be, a new hacker group. The investigation showed that the unnamed victim is associated with real-estate developers in the U.S, the U.K, and Australia.

Threat creators focused on infrastructure based on C&C servers, in South Korea. This is how traffic from malware samples in various countries get recorded and suggest other targets. This espionage is used to get information from competing private companies, so confidential information helps to take them down. This is why hackers-for-hire got created and is still popular.^[4]

As per reports in the past, APT mercenary groups have been used for cyberespionage by private competing companies seeking financial information or negotiation details for high-profile contracts. This attack likely falls under the same category.

New normal for APT groups

The group behind this campaign was found using sophisticated hacking tools and providing services to various customers that need financial details about high-value contracts. APT-style hacker group infiltrates the system of targeted companies and exfiltrates needed information undetected. Typically, such APT mercenary groups hit financial, legal sectors,^[5] but this time hackers aimed to affect the real estate industry.

It is believed to be a new common feature because actors are not only state-sponsored. Hackers are now employed by anyone who needs personal gain in various industries. Key findings according to Bitdefender research team lists:

• Potential APT mercenary group used for industrial cyberespionage
• Industrial espionage for competitiveness in the real-estate industry
• Malicious payload posing as a plugin for a popular 3D computer graphics software (Autodesk 3ds Max)
• Payload tested against the company’s security solution to avoid detection upon delivery
• C2 infrastructure based in South Korea.

Maliciously affected Autodesk 3Ds Max Plugin used

AutoDesk already informed users about the “PhysXPluginMfx” MAXScript exploit that potentially can lead to corrupted 3ds Max settings. Malicious code execution, propagating other MAX files on Windows systems, and loading infected files into the software can be possible. However, the analysis showed that the investigated sample also contained an embedded DLL file. This is what triggered the additional download of .NET binaries from the C&C server with a focus on stealing confidential documents.

The attack vector was affected by Autodesk 3ds Max versions. These vulnerable pieces allowed code execution on the Windows system. This is how actors managed to spread the malware for collecting details about compromised hosts and steal information. Besides these tools employed for password extraction and taking screenshots, hackers also stole files with particular formats.

These operations were silent, and attackers remained under the radar because malicious binary was hidden as the Task Manager or Performance Monitor running in the background. It is noted that 3ds Max users should download the latest version of Security Tools for Autodesk 3ds Max 2021-2015SP1, so malware can be identified and removed.