In a story that broke around June 22nd, and that most of us in the ICS world missed, was the discovery of a virus targeting engineering drawings. It’s name is ACAD/Medre.A, and it is specifically designed to snarf up AutoCAD files, and email them to (supposedly) China. The malicious program is launched any time an AutoCAD file is opened, by using a file called ‘acad.fas’.
The virus was discovered by ESET, a Slovenian anti-virus and security company. According to AutoDesk, the vendor of AutoCAD, the virus is an AutoLISP based program, and this isn’t the first AutoCAD virus to use the ‘acad.fas’ file. I’m aware of one control system that has used AutoCAD as part of their engineering suite in previous versions, hence my interest that there may be more going on behind the scenes from an ICS perspective.
I’ve been going through a sample of ACAD/Medre.A from a control system perspective and it doesn’t appear targeted towards any control systems. I’ve looked for directories and files I’m used to seeing on the control system I’m familiar with, and others, and those folders/files simply aren’t present. The architecture of AutoLISP and VBA make it relatively easy to inspect, and the details regarding folder structure from ESET’s whitepaper helped as well.
First interesting point, the Medre.A virus does a check of for the version of AutoCAD. This is what initially concerned me. The potentially affected control system had deprecated use of AutoCAD several years ago, but old versions are still in use.
Otherwise, this is a poor virus. The code has no intelligence, it simply sends an email with the AutoCAD file as an attachment each time an AutoCAD file is opened. Think about your daily routine for a moment, how often will you open a set of Excel spreadsheets, or Word documents, and close them again? Each and every time you did that, this virus would send an email. This explains the “10,000” documents in the ESET press release. Many were likely related to normal opening and closing of the drawing, and are duplicates or minor revisions.
Another poor piece of tradecraft is the reliance on WinRAR for compressing the files. Despite some interesting version detection for AutoCAD, Medre.A simply assumes that WinRAR is present. I don’t know the standard archiving program in Peru, but I certainly know that coders can’t take it on faith that WinRAR will be available. Without WinRAR, there is no way to generate the .RAR archive at the right location, and the attempt to send the file via email doesn’t succeed. If I were evil, I would have used a VBScript based compression, which would have been more portable and less reliant on an assumed WinRAR resource.
Something interesting: The author prioritizes using AutoLISP functions over equivalent VBS functionality. For instance, to get the WINDIR environment variable, the author runs AutoLISP command “GETENV” instead of using the Windows Scripting Host or VBS to query the environment variable. Another great example is the AutoLISP “VL-REGISTRY-WRITE” rather than using WMI or another method. But, the AutoCAD built in functions are pretty impressive, and I can see minimizing the size and complexity of the VBS if better functionality already existed in AutoLISP. This suggests the author knew much more about AutoLISP than VBS.
Credit for the discovery goes to ESET, a Slovenian IT Security and Anti-Virus company. Details on the virus are on their blog, and a whitepaper is available as well. It’s good to see familiarity regarding the somewhat arcane AutoLISP out in the IT security world. I won’t spoil the details that ESET has publicized, I recommend looking at their analysis on your own. Of special interest are the main directories that ESET was able to retrieve, located on page 11 of their whitepaper.
The ACAD/Medre.A files are picked up by most anti-virus vendors, including Kaspersky, Sophos, and Symantec at this time.
I intend to do some testing and follow up with ESET, in case some control systems were picked up in a non obvious way. I can do this by inspecting the full directory list ESET grabbed from the email provider, and victims host and usernames, which were conveniently put in the subject line of the code. Of course, I’m one of the few cyber security guys who knows control system directories, hostnames, and usernames by heart. 🙂 Should be fun.
title picture by junyaogura