Security Experts:

Malware Attack Targeting AutoCAD is Suspected Espionage

Researchers at ESET have uncovered a new worm that is stealing AutoCAD drawings and designs, and shipping them off to an email account that appears to be in China. Given the hype around Stuxnet and other focused code, the appearance of this worm took ESET researchers by surprise.

The malware itself is written in AutoLISP, the scripting language used by AutoCAD. Over the last two months, the worm – called ACAD/Medre.A – has remained focused on Latin America, most notably Peru.

ESET is reporting an unusually high number of infections (over 10,000), and suggests that this might be explained by the fact that malware disguised as AutoCAD files may have been distributed to companies that were conducting business with public services in Peru.

Researchers say that the malware is targeting versions 14.0 to 19.2 of AutoCAD, and that the author of the worm assumes it will also work in future releases of the software.

“After some configuration, ACAD/Medre.A will begin sending the different AutoCAD drawings that are opened by e-mail to a recipient with an e-mail account at the Chinese It will try to do this using 22 other accounts at and 21 accounts at, another Chinese internet provider,” explained Righard Zwienenberg, of ESET’s malware research team, on a company blog

In addition to AutoCAD drawings, the malware also targets PST files (email) and will attempt to copy those as well. 

According to Zwienenberg, the malware represents “a serious example of suspected industrial espionage.”

“Every new design created by a victim is sent automatically to the authors of this malware. Needless to say, this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals will have designs before they even go into production by the original designer. The attacker may even go so far as to get patents on the product before the inventor has registered it at the patent office.”

The email accounts used to store the stolen details were eventually closed, but not before the damage was done. It’s unknown if the code has spread to other areas.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.