On the July 17, 2012, Kaspersky Lab and Seculert announced the discovery of Madi, an on-going cyber-espionage campaign in the Middle East. The Madi attackers infected more than 800 victims in Iran, Israel, Afghanistan, and other countries across the globe with a malicious info-stealing Trojan, which is delivered via social engineering schemes, to carefully selected targets.

Today Kaspersky Lab’s experts published a detailed technical analysis of the info-stealing malware used by the Madi attackers. The analysis provides technical examples and explanations of each primary function of the info-stealing Trojan, and details how it’s installed on an infected machine, logs keystrokes, communicates with the C&Cs, steals and exfiltrates data, monitors communications, records audio, and captures screenshots.

Summary Findings:

Overall, the components of the Madi campaign are unsophisticated despite the high infection count of more than 800 victims.

The development of the Madi info-stealing Trojan was an extremely rudimentary approach based on the attackers’ coding style, programming techniques and poor use of Delphi.

Most of the info-stealers’ actions and communications with the C&C servers occur through external files, which is a disorganized and elementary way of coding in Delphi.

Despite the crude coding of the malware, the high-profile victims were infected by the info-stealing Trojan by being tricked with social engineering schemes deployed by the Madi attackers.

The Madi campaign demonstrates that even low quality malware can still successfully infect and steal data, so users should be increasingly careful of suspicious emails.

No advanced exploit techniques or zero-days are used anywhere in the malware, which makes the overall success of the campaign very surprising.

Madi was a low investment campaign regarding its developmental and operational efforts, but its return on investment was high considering the number of infected victims and amount of exfiltrated data.

Although the malware had some unusual characteristics inside it, there is no solid evidence that points to who its authors are.

To read the full analysis of Madi’s info-stealing malware, please visit Securelist.

Source: http://www.kaspersky.com/