Kaspersky Lab researchers have recently announced the results of a joint investigation with Seculert, a Threat Detection company, regarding “Madi”, an active cyber-espionage campaign targeting victims in the Middle East.
Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. In addition, examination of the malware identified an unusual amount of religious and political “distraction” documents and images that were dropped when the initial infection occurred.
“While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims. Perhaps, the amateurish and rudimentary approach helped the operation fly under the radar and evade detection,” said Nicolas Brulez, Senior Malware Researcher, Kaspersky Lab.
“Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language,” said Aviv Raff, Chief Technology Officer, Seculert.
Kaspersky Lab’s Anti-Virus system detects the Madi malware variants along with its associated droppers and modules, classified as Trojan.Win32.Madi.