Madi Malware: Another Trojan Targets Organizations from the Middle East [Updated]

This article is copied from Softpedia:

Researchers from Symantec, Kaspersky and Seculert have all come across Madi (Madhi), a relatively new piece of malware that mainly targets organizations from the Middle East.

Before we take a look at Madi and compare it to other infamous Trojans such as Stuxnet, Duqu, or Flame, let’s take a quick look at its name.

According to Wikipedia, Mahdi is considered to be the redeemer of Islam who will rid the world of tyranny, injustice and wrongdoings.

So, will this malware be able to rule for seven, nine or nineteen years before the Day of Judgment as some prophecies say? Let’s see what the experts believe.

First observed in December 2011, Madi has mainly targeted computer systems from Iran, Israel, Saudi Arabia and Afghanistan, but also from other parts of the globe such as United States, New Zealand and Greece.

The organizations attacked with the aid of the Trojan include government agencies, financial houses, critical infrastructure engineering firms, oil companies, and think tanks.

After it’s installed on a device, Madi is able to take screenshots, record audio, retrieve disk structures, delete data, and update the backdoor. As expected, it also has keylogging functionality that allows it to collect all sorts of sensitive data.

While the locations of the targets indicate that this may be a state-sponsored campaign, other evidence found by Symantec leads researchers to believe that the attacks may actually be conducted by a “Farsi-speaking hacker with a broad agenda.”

However, there is something far more interesting about this virus. Unlike Flame, Duqu or Stuxnet – which leveraged zero-day exploits and other advanced techniques – Madi mainly relies on social engineering to infect machines.

The attacks start with enticing content such as news articles, religious images, controversial videos, and PowerPoint presentations that unleash the nasty Trojan.

So far, experts identified a number of 800 victims, communicating with four command and control servers.

Update 1: Iran: If the Madi cyber-strike was us it would’ve been another Stuxnet

Iran replied: “If this was a product of Iran it would be professional and at least as advanced as Stuxnet and Flame,” an English language editorial carried by the semi-official FARS news agency said.

Leave a Comment

Your email address will not be published. Required fields are marked *