The Madi malware, which had been used in a cyber espionage campaign in the Middle East, has been resurrected and is targeting users of US government websites.
Prior to its command and control (C&C) infrastructure being taken out last week, Madi had infected over 800 machines, including those belonging to individuals working on Iranian and Israeli critical infrastructure projects. It sought to steal confidential files from infected Windows computers and watch over email, Facebook and Skype conversations, whilst recording keystrokes and screenshots.
A fresh variant has emerged, Kaspersky reported today, with some new powers. When infected users visit pages containing “USA” and “gov” in their titles, the malware makes screenshots and sends them to the attackers.
A new command and control server has been set up in Canada, whilst stolen information is now sent directly to the server rather than awaiting commands.
“Today’s findings indicate that the Madi campaign is still ongoing and its perpetrators are busy shipping out new versions with improved features and new tricks. The additional checks for “USA” and “gov” might indicate a shift of focus from targets in Israel to the USA,” said Kaspersky Lab expert Nicolas Brulez, in a blog post.
Madi, which was only spotted a year after it started infecting machines, is not as complex as other cyber espionage tools seen in recent times, such as Flame. It does not take advantage of any zero-day vulnerabilities and all its backdoors were written in Delphi, which again hinted that the programmers were not highly technically proficient, Kaspersky said.
Basic social engineering tricks were used as well. Nevertheless, the attackers managed to carry out a sustained surveillance operation against high-profile victims.
Seculert, the security company that worked on identifying Madi with Kaspersky, said it was “unclear whether this is a state-sponsored attack or not” and that there did not appear to be a link to Flame, which is believed to have been created by the same US-Israeli team which made Stuxnet.
Are you a security boff? Try our quiz!
German foreign minister warns Russia will face consequences for “absolutely intolerable” cyberattack on ruling party,…
Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…