Madi malware still active, updated
Malware that targeted Iran and Israel recently modified and still in operation says Kaspersky
The ‘Madi' malware that was detected carrying out espionage attacks against targets in Iran and Israel last week is still active, according to security researchers.
Kaspersky Lab has warned that a new version of Madi has been discovered, despite command and control networks having been disabled. Nicolas Brulez, Kaspersky Lab Expert, writing on the Securelist blog, said a new version dated 25th July had been found.
The new version appears to have been modified, and now connects to a new command and control server located in Canada. Experts had thought that the malware was active once the command network was taken down.
The new version of the Trojan has also been modified to provide new capabilities. Madi now has the ability to monitor the Russian VKontakte social network, and the Jabber communications platform. The list of keywords that are being monitored has been expanded, and includes monitoring for visits to pages that include ‘USA' and ‘gov' in their titles.
Madi also now no longer waits for commands from control server to upload, but uploads stolen data to the server right away.
The UAE Telecommunications Regulatory Authority has also confirmed that some infections with Madi were detected in the country, albeit on a very small scale.