On 17th July, 2012, Kaspersky Lab and Seculert announced the discovery of Madi, an on-going cyber-espionage campaign in the Middle East. The Madi attackers infected more than 800 victims in Iran, Israel, Afghanistan, and other countries across the globe with a malicious info-stealing Trojan, which is delivered via social engineering schemes, to carefully selected targets.

Today Kaspersky Lab’s experts published a detailed technical analysis of the info-stealing malware used by the Madi attackers. The analysis provides technical examples and explanations of each primary function of the info-stealing Trojan, and details how it’s installed on an infected machine, logs keystrokes, communicates with the C&Cs, steals and exfiltrates data, monitors communications, records audio, and captures screenshots.

 Summary findings:

  • Overall, the components of the Madi campaign are unsophisticated despite the high infection count of more than 800 victims.
  • The development of the Madi info-stealing Trojan was an extremely rudimentary approach based on the attackers’ coding style, programming techniques and poor use of Delphi.
  • Most of the info-stealers’ actions and communications with the C&C servers occur through external files, which is a disorganised and elementary way of coding in Delphi.
  • Despite the crude coding of the malware, the high-profile victims were infected by the info-stealing Trojan by being tricked with social engineering schemes deployed by the Madi attackers.
  • The Madi campaign demonstrates that even low quality malware can still successfully infect and steal data, so users should be increasingly careful of suspicious e-mails.
  • No advanced exploit techniques or zero-days are used anywhere in the malware, which makes the overall success of the campaign very surprising.
  • Madi was a low investment campaign regarding its developmental and operational efforts, but its return on investment was high considering the number of infected victims and amount of exfiltrated data.
  • Although the malware had some unusual characteristics inside it, there is no solid evidence that points to who its authors are.

 

joumana@cpidubai.com'

Joumana Saad

Before joining SME Advisor, I worked as a producer/reporter for Forbes Media in New York. I obtained a Bachelor’s degree in Journalism and International Studies at the University of South Florida in the US. I am currently in Dubai working as Sub-Editor for SME Advisor Middle East, which is a business magazine published by CPI. You can follow me on Twitter: @joumanasaad or @SMEadvisorME and (Joumana Saad) or (SME Advisor) on LinkedIn.