Madi, a computer network infiltration campaign involving a malicious Trojan that is delivered via social engineering schemes to carefully-selected targets, is mainly targeting victims in the Middle East.
This is according to the results of a joint investigation between Kaspersky Lab researchers and Seculert, an advanced threat detection company, regarding Madi, which has also been described as an active cyber-espionage campaign.
The organisations worked together to sinkhole the Madi command and control (C&C) servers to monitor the campaign, and identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&C servers over the past eight months.
Statistics from the sinkhole revealed the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.
In addition, examination of the malware identified an unusual amount of religious and political 'distraction' documents and images that were dropped when the initial infection occurred.
“While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims,” says Nicolas Brulez, senior malware researcher at Kaspersky Lab.
“Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection,” he adds.
Aviv Raff, CTO at Seculert, says the joint analysis also uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. “The attackers were no doubt fluent in this language,” he says.
The Madi info-stealing Trojan enables remote attackers to steal sensitive files from infected Windows computers, monitor sensitive communications such as e-mail and instant messages, record audio, log keystrokes, and take screenshots of victims' activities. Data analysis suggests multiple gigabytes of data have been uploaded from victims' computers.
According to the companies, common applications and Web sites that were spied on include accounts on Gmail, Hotmail, Yahoo Mail, ICQ, Skype, Google+ and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts and financial management systems.
Share