A sophisticated hack-for-hire group specializing in industrial espionage exploited the Autodesk 3ds Max modeling and animation software in an attack aimed at a company involved in luxury real estate projects, cybersecurity firm Bitdefender reported on Wednesday. Mercenary
Bitdefender has analyzed what it describes as an “APT-style cyberespionage attack” targeting an international architecture and video production company. The target has not been named, but it’s said to have worked on billion-dollar real estate projects in London, New York, Australia and Oman.
According to Bitdefender researchers, the attackers collected data on the security systems and software used by the target before attempting to exfiltrate valuable information.
The company believes the attack may have started with a malicious 3ds Max plugin being sent to the victim.
The hackers leveraged MAXScript exploits — MaxScript is the scripting language in 3ds Max — to download and execute other files, collect information about the compromised systems, and deliver malware capable of capturing screenshots and stealing passwords and history data from a Chrome database.
Bitdefender believes that other organizations were also targeted with MAXScript exploits before this attack was detected.
“Based on Bitdefender’s telemetry, we also found other similar malware samples communicating with the same command and control server, dating back to just under a month ago. Located in South Korea, United States, Japan, and South Africa, it’s likely the cybercriminal group might have also been targeting select victims in these regions as well,” Bitdefender said in its report.
A security advisory published earlier this month by Autodesk warns 3ds Max users of a MAXScript exploit named PhysXPluginMfx that can “corrupt 3ds Max software’s settings, run malicious code, and propagate to other MAX files (*.max) on a Windows system if scene files containing the script are loaded into 3ds Max.”
The vendor has released a free plugin that can help users detect and remove the malicious code.
The command and control (C&C) infrastructure used in the attack detailed by Bitdefender is located in South Korea, but the company has not shared other information regarding attribution.