On 17 July 2012, Kaspersky Lab and Seculert announced the discovery of Madi, an on-going cyber-espionage campaign in the Middle East. The Madi attackers infected more than 800 victims in Iran, Israel, Afghanistan, and other countries across the globe with a malicious info-stealing Trojan, which is delivered via social engineering schemes, to carefully selected targets.
Now, Kaspersky Lab’s experts published a detailed technical analysis of the info-stealing malware used by the Madi attackers. The analysis provides technical examples and explanations of each primary function of the info-stealing Trojan, and details how it’s installed on an infected machine, logs keystrokes, communicates with the C&Cs, steals and exfiltrates data, monitors communications, records audio, and captures screenshots.
Findings of the report include:
* Overall, the components of the Madi campaign are unsophisticated despite the high infection count of more than 800 victims.
* The development of the Madi info-stealing Trojan was an extremely rudimentary approach based on the attackers’ coding style, programming techniques and poor use of Delphi.
* Most of the info-stealers’ actions and communications with the C&C servers occur through external files, which is a disorganised and elementary way of coding in Delphi.
* Despite the crude coding of the malware, the high-profile victims were infected by the info-stealing Trojan by being tricked with social engineering schemes deployed by the Madi attackers.
* The Madi campaign demonstrates that even low quality malware can still successfully infect and steal data, so users should be increasingly careful of suspicious emails.
* No advanced exploit techniques or zero-days are used anywhere in the malware, which makes the overall success of the campaign very surprising.
* Madi was a low investment campaign regarding its developmental and operational efforts, however its return on investment was high considering the number of infected victims and amount of exfiltrated data.
* Although the malware had some unusual characteristics inside it, there is no solid evidence that points to who its authors are.