The Madi cyber espionage tool is back and this time is focusing on the West, not the Middle East
The Madi malware, which had been used in a cyber espionage campaign in the Middle East, has been resurrected and is targeting users of US government websites.
Prior to its command and control (C&C) infrastructure being taken out last week, Madi had infected over 800 machines, including those belonging to individuals working on Iranian and Israeli critical infrastructure projects. It sought to steal confidential files from infected Windows computers and watch over email, Facebook and Skype conversations, whilst recording keystrokes and screenshots.
A fresh variant has emerged, Kaspersky reported today, with some new powers. When infected users visit pages containing “USA” and “gov” in their titles, the malware makes screenshots and sends them to the attackers.
A new command and control server has been set up in Canada, whilst stolen information is now sent directly to the server rather than awaiting commands.
“Today’s findings indicate that the Madi campaign is still ongoing and its perpetrators are busy shipping out new versions with improved features and new tricks. The additional checks for “USA” and “gov” might indicate a shift of focus from targets in Israel to the USA,” said Kaspersky Lab expert Nicolas Brulez, in a blog post.
Madi, which was only spotted a year after it started infecting machines, is not as complex as other cyber espionage tools seen in recent times, such as Flame. It does not take advantage of any zero-day vulnerabilities and all its backdoors were written in Delphi, which again hinted that the programmers were not highly technically proficient, Kaspersky said.
Basic social engineering tricks were used as well. Nevertheless, the attackers managed to carry out a sustained surveillance operation against high-profile victims.
Seculert, the security company that worked on identifying Madi with Kaspersky, said it was “unclear whether this is a state-sponsored attack or not” and that there did not appear to be a link to Flame, which is believed to have been created by the same US-Israeli team which made Stuxnet.
Are you a security boff? Try our quiz!