Security alert over ‘Madi’ cyber-espionage campaign in Middle East
By Digital News Asia July 19, 2012
- Victims primarily business people working on Iranian and Israeli critical infrastructure projects
- Targets like Iran, Israel, and Saudi Arabia suggest involvement of a nation-state
CYBERSECURITY companies are using alerts over the recent resurgence of ‘Madi,’ a trojan used in targeted campaigns and observed in the wild since last December.
Targets of the Madi campaign appear to be all over the spectrum but include oil companies, US-based think-tanks, a foreign consulate, as well as various governmental agencies, including some in the energy sector, Symantec Security Response reported.
Although Madi has been seen targeting various Middle Eastern countries, it has also been found across the globe from the United States to New Zealand, Symantec said (see pie chart, courtesy of Symantec; click to enlarge).
The Madi attack relies on social engineering techniques to get onto targeted computers. Targets like Iran, Israel, and Saudi Arabia might suggest involvement of a nation-state, however our research has not found evidence that this is the case, it added.
Meanwhile, Kaspersky Lab researchers announced the results of a joint-investigation with Seculert, the advanced threat detection company which originally discovered Madi.
Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months.
Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.
In addition, examination of the malware identified an unusual amount of religious and political ‘distraction’ documents and images that were dropped when the initial infection occurred.
“While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims,” said Nicolas Brulez, senior malware researcher at Kaspersky Lab. “Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection.”
“Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language,” said Aviv Raff, chief technology officer at Seculert.
The Madi info-stealing Trojan enables remote attackers to steal sensitive files from infected Windows computers, monitor sensitive communications such as email and instant messages, record audio, log keystrokes, and take screenshots of victims’ activities. Data analysis suggests that multiple gigabytes of data have been uploaded from victims’ computers.
Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.
Kaspersky Lab’s Anti-Virus system detects the Madi malware variants along with its associated droppers and modules, classified as Trojan.Win32.Madi.
Additional details can be found at a Symantec Security Response blog here. To read the full research post by Kaspersky Lab’s experts, go to Securelist. To read Seculert’s research about the Madi campaign, check out the Seculert Blog.
Stuxnet, Flame and the new world disorder