A number of sites have published an analysis of relatively new malware, ACAD/Medre.A. While we have had some highly specialized malware in recent years like Stuxnet, which targeted Iranian nuclear facilities, and most modern malware seems to have a data exfiltration component, ACAD/Medre.A is somewhat unique in that it seems to be highly targeted and specialized.
The current version of ACAD/Medre.A seems to be targeted at AutoCAD files hosted at IP addresses in Peru. AutoCAD is popular software used to create blue prints, and hardware and chip designs. Obviously these files are valuable intellectual property for the owning company.
ACAD/Medre.A is not just thrown together, low quality malware. Analysis reveals it is well written; at a level that suggests an experienced malware writer wrote it. Some have speculated that this ACAD/Medre.A was been created by a competitor to target a particular Peruvian company.
My belief is that one of two possibilities are more likely. Either it is a limited test of a new malware concept that will be unleashed on the general world in the future. The malware is written using AutoLISP, the AutoCAD built in scripting language. To the best of my knowledge the first malware written in this language. Another possibility is that it is a targeted intellectual property attack by one of the organized malware groups. This malware exfiltrated data to two email addresses in China; while this may provide a clue, it does not really help in identify the involved group.
Who the actors are and what their intentions are is largely irrelevant to us as security practitioners. This type of attack just reiterates that a large part of securing your organization is not technical, but in understanding what data your company owns and needs to protect. Every organization needs policies and procedures for accurately classifying data. Sounds simple in concept, but most organizations struggle to accurately classify data and maintain classification through the data lifecycle. Only once you have a clear understanding of what your most sensitive data is, and where it is stored, can you design and implement controls to protect that data.
What steps have you taken to aid in the accurate classification of your organizations data?
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.