Home / / New ME-focused cyber-spying attack uncovered

New ME-focused cyber-spying attack uncovered

Madi malware found to be spying on selected targets in Iran and Israel

New ME-focused cyber-spying attack uncovered
Madi appears to have been created to spy on carefully selected targets.

Security researchers from Kaspersky Lab and Seculert have announced details of another cyber-espionage attack that is targeting victims in the Middle East.

The ‘Madi' Trojan, originally discovered by Seculert, was found to be spying on as many as 800 victims in the region, mainly in Iran and Israel. The targets were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.

Madi infections appear to have been made by social engineering to selected targets, Kaspersky said, and the malware then stole sensitive files from infected Windows computers, monitored sensitive communications such as email and instant messages, recorded audio, logged keystrokes, and took screenshots of victims' activities. Data analysis suggests that multiple gigabytes of data have been uploaded from victims' computers.

The malware monitored applications such as Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.

In addition, examination of the malware identified an unusual amount of religious and political ‘distraction' documents and images that were dropped when the initial infection occurred.

Seculert and Kaspersky were able to sinkhole Command and Control (C&C) servers, and have monitored them for the past eight months. Madi is a lot less sophisticated than previous cyber espionage attacks on the region such as Flame, Duqu and Stuxnet worms, and also appears to have been created by hackers who spoke Persian.

"While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims," said Nicolas Brulez, Senior Malware Researcher, Kaspersky Lab. "Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection."

"Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language," said Aviv Raff, Chief Technology Officer, Seculert.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.