Feeds

New 'Madi' cyber-espionage campaign targets Iran AND Israel

Attackers 'fluent in Persian', say security sinkholers

Internet Security Threat Report 2014

Security researchers have discovered a new cyber-espionage campaign targeting victims in the Middle East.

Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel, Afghanistan and elsewhere in the course of monitoring control servers associated with cyber/espionage operation over the last eight months.

"Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East," according to Seculert.

The Madi malware associated with the electronic spying operation is far less sophisticated than the Flame, Duqu and Stuxnet worms associated with previously discovered spying operation in the Middle East, many of which have become associated with operations against Iran's controversial nuclear program. Leaked briefings from the Obama administration suggest both Flame and Stuxnet were joint US/Israeli operations

Madi is a Trojan that allows remote attackers to swipe sensitive files from infected Windows computers, monitor email and instant messages exchanges, record audio, log keystrokes, and take screenshots of victims' activities. in all these respects the malware is similar in capabilities to banking Trojans. Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance also tapped integrated ERP/CRM systems, business contracts, and financial management systems.

Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers and thus monitor the spying operation, which they characterise as "amateurish and rudimentary" in execution.

"While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims," said Nicolas Brulez, a senior malware researcher at Kaspersky Lab. "Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection."

Aviv Raff, Chief Technology Officer, Seculert, added:

"Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language."

More on the Madi campaign can be found in a post on Seculert's blog (here) and from Kaspersky Lab here. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.