On 17th July, 2012, Kaspersky Lab and Seculert announced the discovery of Madi, an on-going cyber-espionage campaign in the Middle East. The Madi attackers infected more than 800 victims in Iran, Israel, Afghanistan, and other countries across the globe with a malicious info-stealing Trojan, which is delivered via social engineering schemes, to carefully selected targets.
Today Kaspersky Lab’s experts published a detailed technical analysis of the info-stealing malware used by the Madi attackers. The analysis provides technical examples and explanations of each primary function of the info-stealing Trojan, and details how it’s installed on an infected machine, logs keystrokes, communicates with the C&Cs, steals and exfiltrates data, monitors communications, records audio, and captures screenshots.
- Overall, the components of the Madi campaign are unsophisticated despite the high infection count of more than 800 victims.
- The development of the Madi info-stealing Trojan was an extremely rudimentary approach based on the attackers’ coding style, programming techniques and poor use of Delphi.
- Most of the info-stealers’ actions and communications with the C&C servers occur through external files, which is a disorganised and elementary way of coding in Delphi.
- Despite the crude coding of the malware, the high-profile victims were infected by the info-stealing Trojan by being tricked with social engineering schemes deployed by the Madi attackers.
- The Madi campaign demonstrates that even low quality malware can still successfully infect and steal data, so users should be increasingly careful of suspicious e-mails.
- No advanced exploit techniques or zero-days are used anywhere in the malware, which makes the overall success of the campaign very surprising.
- Madi was a low investment campaign regarding its developmental and operational efforts, but its return on investment was high considering the number of infected victims and amount of exfiltrated data.
- Although the malware had some unusual characteristics inside it, there is no solid evidence that points to who its authors are.
Rushika Bhatia Editor
Rushika Bhatia is one of the region’s leading commentators on business and current affairs issues. She is the Editor of SME Advisor magazine - the flagship title of CPI Business. She is passionate about infographics – with special emphasis on data, research and statistics. Rushika has a Bachelor’s Degree from Indiana University, USA and is also CIMA qualified.