A cyber-espionage campaign dubbed as “Madi” targeting victims in Iran, Israel, and Afghanistan has been uncovered in a joint-investigation of Kaspersky Lab, a leading developer of secure content and threat management solutions with Seculert, an advanced threat detection company.
Madi’s purpose is to infiltrate computer networks in Middle Eastern engineering firms, government agencies, financial houses, and academic institutions. This is done by injecting a malicious Trojan spyware that steals a number of sensitive files from Windows computers, monitors sensitive communications such as email and instant messages, record audio, log keystrokes, and take screenshots of victims’ activities.
Photos below show some of the attractive images, confusing and religious themes embodied in PowerPoint Slide Shows containing the embedded Madi Trojan downloaders:
Security experts from Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the Command and Control (C&C) servers of the source of the campaign over the past eight months.
Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.
According to the data analysis, multiple gigabytes of data have been uploaded from victims’ computers. The malicious campaign, whose source has not yet been identified, relies mostly on social engineering techniques to distribute their spyware. Among the most commonly exploited social network services is Facebook.
The first of the two social engineering schemes utilizes attractive images and confusing themes embodied in Microsoft PowerPoint Slide Shows containing the embedded Madi Trojan downloaders and just clicking the infected PowerPoint file executes content to inject the Trojan.
Following the infection, the embedded Trojan downloader fetches and installs the backdoor services and related “housekeeping” data files on the victim system. One example, “Magic_Machine1123.pps”, delivers the embedded executable file within a confusing math puzzle PowerPoint Slide Show where the amount of math instructions may overwhelm a viewer.
Another PowerPoint Slide Show named “Moses_pic1.pps” walks the viewer through a series of calm, religious themed, serene wilderness, and tropical images, confusing the user into running the payload on their system without them knowing.
Some of the most common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated enterprise resource process systems, business contracts, and financial management systems.
“While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims,” said Nicolas Brulez, Senior Malware Researcher, Kaspersky Lab. “Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection.”
“Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language,” said Aviv Raff, Chief Technology Officer, Seculert.
Despite seemingly being used in Middle Eastern countries, the Madi campaign could still infect other PCs. Kaspersky Lab encourages PC owners to update their security applications to prevent infection.