Published On: Sat, Jul 28th, 2012

More details on info-stealing malware emerge

On the 17th of July 2012, Kaspersky Lab and Seculert announced the discovery of Madi, an on-going cyber-espionage campaign in the Middle East.

The Madi attackers infected more than 800 victims in Iran, Israel, Afghanistan, and other countries across the globe (image: stock.xchng)

The Madi attackers infected more than 800 victims in Iran, Israel, Afghanistan, and other countries across the globe with a malicious info-stealing Trojan, which is delivered via social engineering schemes, to carefully selected targets.

Kaspersky Lab’s experts published a detailed technical analysis of the info-stealing malware used by the Madi attackers. The analysis provides technical examples and explanations of each primary function of the info-stealing Trojan, and details how it is installed on an infected machine, logs keystrokes, communicates with the C&Cs, steals and exfiltrates data, monitors communications, records audio, and captures screenshots.

Summary Findings:

·         Overall, the components of the Madi campaign are unsophisticated despite the high infection count of more than 800 victims.

·         The development of the Madi info-stealing Trojan was an extremely rudimentary approach based on the attackers’ coding style, programming techniques and poor use of Delphi.

·         Most of the info-stealers’ actions and communications with the C&C servers occur through external files, which is a disorganised and elementary way of coding in Delphi.

·         Despite the crude coding of the malware, the high-profile victims were infected by the info-stealing Trojan by being tricked with social engineering schemes deployed by the Madi attackers.

·         The Madi campaign demonstrates that even low quality malware can still successfully infect and steal data, so users should be increasingly careful of suspicious emails.

·         No advanced exploit techniques or zero-days are used anywhere in the malware, which makes the overall success of the campaign very surprising.

·         Madi was a low investment campaign regarding its developmental and operational efforts, however its return on investment was high considering the number of infected victims and amount of exfiltrated data.

·         Although the malware had some unusual characteristics inside it, there is no solid evidence that points to who its authors are.

Staff writer

Leave a comment

XHTML: You can use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Most Popular Posts