Madi appears to have been created to spy on carefully selected targets.
Published Wednesday, 18 July 2012
By Mark Sutton
Security researchers from Kaspersky Lab and Seculert have announced details of another cyber-espionage attack that is targeting victims in the Middle East.
The ‘Madi' Trojan, originally discovered by Seculert, was found to be spying on as many as 800 victims in the region, mainly in Iran and Israel. The targets were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.
Madi infections appear to have been made by social engineering to selected targets, Kaspersky said, and the malware then stole sensitive files from infected Windows computers, monitored sensitive communications such as email and instant messages, recorded audio, logged keystrokes, and took screenshots of victims' activities. Data analysis suggests that multiple gigabytes of data have been uploaded from victims' computers.
The malware monitored applications such as Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.
In addition, examination of the malware identified an unusual amount of religious and political ‘distraction' documents and images that were dropped when the initial infection occurred.
Seculert and Kaspersky were able to sinkhole Command and Control (C&C) servers, and have monitored them for the past eight months. Madi is a lot less sophisticated than previous cyber espionage attacks on the region such as Flame, Duqu and Stuxnet worms, and also appears to have been created by hackers who spoke Persian.
"While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims," said Nicolas Brulez, Senior Malware Researcher, Kaspersky Lab. "Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection."
"Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language," said Aviv Raff, Chief Technology Officer, Seculert.