Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/19/2012
04:07 PM
50%
50%

Madi Malware: Advanced Persistent Threat Or Just A Threat?

Security researchers are calling Madi an example of an advanced persistent threat, but what makes an APT an APT?

Earlier this week, security researchers at Kaspersky Lab and Seculert reported the presence of a cyber-espionage tool known as Madi (also spelled Mahdi). The malware was quickly added to a growing list of Trojans that fall under the umbrella of advanced persistent threats (APTs).

However, there were some things about Madi that weren't very advanced at all, raising the question about just what constitutes an APT.

"We see many attacks from 'APT' where the 'A' really isn't applicable," says Roel Schouwenberg, senior researcher at Kaspersky, who added he does not like the term APT because of the confusion it causes. "[These attacks are] persistent, but that's about it. But as we can see, like with Madi, persistence by itself will still get you somewhere."

The Madi attacks qualify as APT, however, because they are also go after industrial designs, meaning there is IP theft, he said. Once on a system, Madi is capable of not only stealing data from infected Windows machines, but also monitoring email and instant messages, recording audio, capturing keystrokes, and taking screenshots of victims' computers. Researchers at Seculert and Kaspersky worked in concert to sinkhole the malware's command and control servers and analyze eight months of the campaign. Their efforts uncovered a targeted attack campaign with more than 800 victims in Iran, Israel, and other countries from around the globe.

Many of the victims were discovered to be businesspeople working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, or various government agencies in the region. All totaled, multiple gigabytes of data are believed to have been uploaded from victims' computers.

To infect computers, the attackers relied on social engineering ploys designed to get users to open up PowerPoint slideshows containing the malicious file. Unlike Flame and Stuxnet, the attack did not rely on any zero-day exploits, and no evidence has been made public so far linking it to a nation-state.

The notable differences between APTs and common cyber-crimes are focus and patience, explains Richard Wang, director of North America SophosLabs, the research arm of Sophos. APTs focus on a particular target as opposed to attacking many in the hopes of success, he said.

"The additional resources of an APT attacker can provide them with tools that are unavailable to common attackers, for example the certificate compromises and zero-day vulnerabilities we have seen used," Wang says. "However some of the other tools they use can be those of more common attackers when trying to navigate a target network."

Aviv Raff, CTO of Seculert, agrees that the same tools are sometimes used by both types of attackers, but added that APT attackers also use their own custom-made malware for their operation. Opportunistic hackers on the other hand tend to use malware kits and not invest in development, he said.

In the case of Madi, the "P" in APT -- persistent -- is the key factor, he argues.

"If the attack went under the radar for long enough time it should be considered APT ... The focus in APT is not always the motive, but rather the ability to have a stealth and successful attack over a long period of time," he says.

Unfortunately, the term APT is used to describe multiple different types of threats and there is no agreed upon exact definitions, says Liam O Murchu, manager of operations at Symantec Security Response.

"Originally, it was coined to describe targeted attacks that used zero day vulnerabilities -- often in PDFs and other document formats -- that tried to stay undetected while siphoning intellectual property out of infected networks," he says. "However, the term has since been used to describe all sorts of threats doing all sorts of things. Due to this, the term APT can mean many different things depending on who is using it and what their definition is."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SKENWARD
50%
50%
SKENWARD,
User Rank: Apprentice
7/20/2012 | 2:57:58 PM
re: Madi Malware: Advanced Persistent Threat Or Just A Threat?
It seems APT's and AET's are becoming interchangeable as to usage. The best description I saw was as follows, which was given in an interview with SC magazine.

-Patel explained that an APT is Gan individual or group intending to attack a network by any means necessary and will continue to do so until successful', while AET is a delivery mechanism
-
-
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29446
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29451
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
CVE-2021-29452
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
CVE-2021-29444
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...