Kaspersky Lab and Seculert Announce ‘Madi,’ a Newly Discovered Cyber-Espionage Campaign in the Middle East
Woburn, MA - July 17, 2012 - Today,
Kaspersky Lab researchers announced the
results of a joint-investigation with Seculert,
an Advanced Threat Detection company, regarding “Madi,” an active
cyber-espionage campaign targeting victims in the Middle East. Originally
discovered by Seculert, Madi is a computer network infiltration campaign that
involves a malicious Trojan which is delivered via social engineering schemes
to carefully selected targets.
Lab and Seculert worked together to sinkhole the Madi Command & Control
(C&C) servers to monitor the campaign. Kaspersky Lab and Seculert
identified more than 800 victims located in Iran, Israel and select countries
across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that
the victims were primarily business people working on Iranian and Israeli
critical infrastructure projects, Israeli financial institutions, Middle
Eastern engineering students, and various government agencies communicating in
the Middle East.
addition, examination of the malware identified an unusual amount of religious
and political ‘distraction’ documents and images that were dropped when the
initial infection occurred.
the malware and infrastructure is very basic compared to other similar
projects, the Madi attackers have been able to conduct a sustained surveillance
operation against high-profile victims,” said Nicolas Brulez, Senior Malware
Researcher, Kaspersky Lab. “Perhaps the amateurish and rudimentary approach
helped the operation fly under the radar and evade detection.”
our joint analysis uncovered a lot of Persian strings littered throughout the
malware and the C&C tools, which is unusual to see in malicious code. The
attackers were no doubt fluent in this language,” said Aviv Raff, Chief
Technology Officer, Seculert.
Madi info-stealing Trojan enables remote attackers to steal sensitive files
from infected Windows computers, monitor sensitive communications such as email
and instant messages, record audio, log keystrokes, and take screenshots of
victims’ activities. Data analysis suggests that multiple gigabytes of data
have been uploaded from victims’ computers.
applications and websites that were spied on include accounts on Gmail,
Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also
performed over integrated ERP/CRM systems, business contracts, and financial
Lab’s Anti-Virus system detects the Madi malware variants along with its
associated droppers and modules, classified as Trojan.Win32.Madi.
read the full research post by Kaspersky Lab’s experts please visit Securelist.
read Seculert’s research about the Madi campaign please visit theSeculertBlog.
About Kaspersky Lab Kaspersky Lab is the world’s
largest privately held vendor of endpoint protection solutions. The
company is ranked among the world’s top four vendors of security
solutions for endpoint users*. Throughout its 15-year history Kaspersky
Lab has remained an innovator in IT security and provides effective
digital security solutions for consumers, SMBs and Enterprises. The
company currently operates in almost 200 countries across the globe,
providing protection for over 300 million users worldwide. Learn more at
*The company was rated fourth in the IDC rating Worldwide
Endpoint Security Revenue by Vendor, 2010. The rating was published in
the IDC report Worldwide IT Security Products 2011-2015 Forecast and
2010 Vendor Shares – December 2011. The report ranked software vendors
according to earnings from sales of endpoint security solutions in 2010.