Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.
In addition, examination of the malware identified an unusual amount of religious and political ‘distraction’ documents and images that were dropped when the initial infection occurred.
“While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims,” said Nicolas Brulez, Senior Malware Researcher, Kaspersky Lab. “Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection.”
“Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language,” said Aviv Raff, Chief Technology Officer, Seculert.
The Madi info-stealing Trojan enables remote attackers to steal sensitive files from infected Windows computers, monitor sensitive communications such as email and instant messages, record audio, log keystrokes, and take screenshots of victims’ activities. Data analysis suggests that multiple gigabytes of data have been uploaded from victims’ computers.
Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.
Kaspersky Lab’s Anti-Virus system detects the Madi malware variants along with its associated droppers and modules, classified as Trojan.Win32.Madi.
To read the full research post by Kaspersky Lab’s experts please visit Securelist
To read Seculert’s research about the Madi campaign please visit the Seculert Blog.
Kaspersky Lab Newsroom
Kaspersky Lab has launched a new online newsroom, Kaspersky Lab Newsroom Europe (http://newsroom.kaspersky.eu/en), for journalists throughout Europe. The newsroom is specifically designed to serve many of the media’s most common requests, making it easier for journalists to find product and corporate information, facts and figures, editorial copy, images, videos and audio files, as well as details about the appropriate PR contacts.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for consumers, SMBs and Enterprises. The company currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
*The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2010. The rating was published in the IDC report Worldwide IT Security Products 2011-2015 Forecast and 2010 Vendor Shares – December 2011. The report ranked software vendors according to earnings from sales of endpoint security solutions in 2010.
Follow us on Twitter
Like us on Facebook