Kaspersky Lab

Kaspersky Lab Experts Provide Detailed Analysis of the ‘Madi’ Info-stealing Malware

27 Jul 2012
Virus News

On the July 17, 2012, Kaspersky Lab and Seculert announced the discovery of Madi, an on-going cyber-espionage campaign in the Middle East. The Madi attackers infected more than 800 victims in Iran, Israel, Afghanistan, and other countries across the globe with a malicious info-stealing Trojan, which is delivered via social engineering schemes, to carefully selected targets.

Today Kaspersky Lab’s experts published a detailed technical analysis of the info-stealing malware used by the Madi attackers. The analysis provides technical examples and explanations of each primary function of the info-stealing Trojan, and details how it’s installed on an infected machine, logs keystrokes, communicates with the C&Cs, steals and exfiltrates data, monitors communications, records audio, and captures screenshots.

Summary Findings:

  • Overall, the components of the Madi campaign are unsophisticated despite the high infection count of more than 800 victims.
  • The development of the Madi info-stealing Trojan was an extremely rudimentary approach based on the attackers’ coding style, programming techniques and poor use of Delphi.
  • Most of the info-stealers’ actions and communications with the C&C servers occur through external files, which is a disorganized and elementary way of coding in Delphi.
  • Despite the crude coding of the malware, the high-profile victims were infected by the info-stealing Trojan by being tricked with social engineering schemes deployed by the Madi attackers.
  • The Madi campaign demonstrates that even low quality malware can still successfully infect and steal data, so users should be increasingly careful of suspicious emails.
  • No advanced exploit techniques or zero-days are used anywhere in the malware, which makes the overall success of the campaign very surprising.
  • Madi was a low investment campaign regarding its developmental and operational efforts, but its return on investment was high considering the number of infected victims and amount of exfiltrated data.
  • Although the malware had some unusual characteristics inside it, there is no solid evidence that points to who its authors are.

To read the full analysis of Madi’s info-stealing malware, please visit Securelist.

© 1997 – 2014 Kaspersky Lab

All Rights Reserved. Industry-leading Antivirus Software