A mercenary hacker group is using malicious software in the form of a 3Ds Max plugin to spread malware in enterprise systems while stealing protected information.

Romanian anti-virus software and cybersecurity firm Bitdefender has stated that it has identified what could be a new cybercriminal group, targeting firms around the world with an insidious form of malware secreted within plugins for 3Ds Max.

A multi-level attack strategy uncovered

Developed and designed by American software corporation Autodesk, 3Ds Max is an application for 3D computer graphics that is often installed and employed by software engineering, architecture and gaming companies.

On August 10, the US software giant posted a security alert regarding a plugin called “PhysXPluginMfx” that maliciously used a scripting utility known as MAXScript, which comes with 3Ds Max. The Autodesk security warning advised users that if it was loaded within 3Ds Max, the malicious plugin would run its own operations via MAXScript and corrupt software settings, run code and work to spread and infect MAX files located on Windows operating systems. The advisory also warned that it would help the malware propagate, spreading it to any user who received or opened such files.

On inspection, security researchers at Bitdefender discovered that the aim of the malicious plugin was, in fact, to launch a backdoor Trojan, which once deployed could be exploited by hackers seeking to scan infected devices for sensitive data and steal confidential documents.

International hackers for hire

In its published report, Bitdefender also stated its investigation had been able to identify at least one of the hacker outfit’s targets. The high-profile victim was a global video and architectural production company, presently involved in projects with developers that specialise in billion-dollar real estate deals.

Among other details obtained during its focused investigation, the Romanian cybersecurity company uncovered that the hacker group utilised a command and control server based in South Korea. Senior Threat Analyst for Bitdefender, Liviu Arsene, commented:

“When looking at our own telemetry, we found other samples that communicated with the same C&C server, which means that the group was not limited to only developing samples for the victim that we investigated.”

Other malware samples were seen to instigate connections to the server from other countries, including Japan, South Africa and the USA, suggesting the hackers may also have additional unconfirmed victims on its target list in these nations.

The connections date back at least one month, but according to Bitdefender, this does not confirm when the group began operations, as the hackers may have utilised another server in older attacks.

Arsene commented:

“If the sophistication of this investigated attack is any indication, they seem to have a firm grasp of what they’re doing and could have been flying under the radar of security specialists for some time.”

Although information about the hacker gang’s operation is still scarce, cybersecurity researchers at Bitdefender appear to see the newly discovered group as one more example of hackers for hire. These cyber-soldiers of fortune are commonly found to rent out their sophisticated services and skills to nefarious individuals and organisations, helping them to achieve their industrial espionage objectives.