[Cyberwar Central Links & Resources][Cyberwar Central][Cyberwar Central Members Area]

            
  

 


  << Previous Topic | Next Topic >>Return to Cyberwar Central  

Middle East officials targeted by cyber espionage 'Madi' attackers

July 19 2012 at 11:52 AM

The M  (Login Mehran.)

 

 

Middle East officials targeted by cyber espionage 'Madi' attackers

Hacking group attacked critical infrastructure in Iran and Israel in eight-month spying campaign

Josh Halliday

guardian.co.uk, Tuesday 17 July 2012 14.09 BST

Government officials in the Middle East are among 800 victims of a sustained cyber espionage attack dubbed Madi targeting critical infrastructure in Iran and Israel, security experts have discovered.

A sophisticated hacking group, whose members moved its servers from the Iranian capital Tehran to Canada in January 2012, stole hundreds of sensitive documents from the officials and businesspeople in an eight-month spying campaign. That began in December 2011, researchers from the security firms Kaspersky Labs and Seculert have told the Guardian.

Email and Facebook accounts belonging to the victims were also spied on during the attack, which follows a string of attempts to snoop on top-secret projects in the Middle East.

Researchers believe the attack, revealed for the first time on Tuesday, was coordinated from four bases in Canada by a group of Farsi-speaking hackers. It is not known whether the cyber espionage was state-sponsored.

Aviv Raff, chief technology officer of Seculert, told the Guardian: "Most of these 800 victims are from Middle Eastern countries, starting with Iran, then Israel, then Afghanistan, and are all from critical infrastructure companies, financial services and even government officials."

The attack secretly downloaded the Madi spying software on to a victim's computer when they downloaded an email attachment, usually in the form of an innocent-looking Microsoft PowerPoint file.

Once downloaded, the software installed a keylogger able to record every keystroke on the target's computer, to track login details for sensitive websites. The Madi malware could also take screenshots of a victim's computer activity – most commonly their email exchanges and social networking habits – and record audio. Gigabytes of data has been stolen from victims' computers over the eight-month period, the researchers said.

"While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims," said Nicolas Brulez, a senior malware researcher at Kaspersky Lab.

Unlike more commonly known spam emails, researchers said these messages were designed deliberately for their targets and not sent to tens of thousands of people across the world.

Some of the emails attached a PowerPoint presentation or a Word document, and others had a video of a missile test, pictures of a nuclear explosion and an image of Jesus. Another email contained a copy of a Daily Beast article discussing Israel and Iran.

Raff, from Seculert, said: "There's definitely a religious thing. They are trying to lure people to open these emails."

News of the latest cyber surveillance plot follows a string of other data snooping attempts discovered in the past 12 months. Two of the most complex online attacks ever discovered – Stuxnet and Flame – were revealed to have covertly targeted Tehran, in an attempt to sabotage Iran's nuclear program.

This article was amended on 18 July to reflect the fact that it was the hacking group's servers that were located in Canada, not the members of the group themselves

 

http://www.guardian.co.uk/technology/2012/jul/17/middle-east-madi-attackers

 

 


 
 Respond to this message   
AuthorReply

Coalde
(Login cwc.mgmt)
CWC Member

Re: Middle East officials targeted by cyber espionage 'Madi' attackers

July 22 2012, 11:58 AM 

Some further insight into the Madi virus...
Iran: If the Madi cyber-strike was us it would've been another Stuxnet

"'Cos we're as good as US/Israel!" ...Analysts divided"

By John Leyden, 20th July 2012 13:50 GMT

Iranian state media has angrily rejected suggestions that the Madi cyber espionage campaign is anything to do with the Islamic Republic.

Madi had claimed more than 800 victims located in Iran, Israel, Afghanistan and elsewhere, according to the results of an eight month investigation into the cyber-espionage tool by Kaspersky Lab and Seculert, first publicised on Tuesday.

Where previous high profile attacks such as Flame, Duqu, and Stuxnet utilised zero-day vulnerabilities or forged digital certificates, Madi relies on basic well-established engineering techniques to infect targeted computers. The attackers send spear-phishing emails to the targeted entities with different attachments (PowerPoint documents, fake Word documents, fake images, etc) which have the malware embedded.

Attacks came under the guise of a video of a missile test, PowerPoint files featuring serene wilderness images and a copy of a Daily Beast article discussing electronic warfare between Israel and Iran, among others.

Researchers at Kaspersky Labs described the techniques used by the malware as amateurish and rudimentary, an assessment shared by Aviv Raff, CTO at Seculert.

"The malware itself is written is either an amateurish, or written in a rush in order to start the campaign as early as possible," Raff told El Reg. "It looks like native Persian speakers" created the malware, he added.

Iranian state media outlet reacted with indignation to perceived suggestions that either its spies or its ordinary citizens were only capable of producing lame malware, such as Madi.

"If this was a product of Iran it would be professional and at least as advanced as Stuxnet and Flame," an English language editorial carried by the semi-official FARS news agency said.

The story bristled at the perceived suggestion that Madi was developed in response to the Flame and Stuxnet malware attacks against Iran's controversial nuclear weapon's programme.

Madi (AKA Mahdi), named after files used in the malware, references the moniker of the Muslim messiah expected to cleanse the world of wrongdoing and bestow peace and justice before Judgment Day.

Whatever the significance or otherwise of this name it's generally agreed that the malware is primarily designed to steal information from compromised machines. Almost three quarters (72 per cent) of Madi's cyber espionage targets were based in Israel, according to an analysis by Symantec.

Targets included oil companies, US-based think tanks, a foreign consulate, as well as various governmental agencies some of which were in the energy sector. Isolated infections have occurred in the US and New Zealand, but most have been clustered in the Middle East according to Symantec.

Kaspersky and Seculert, by contrast, argue that the highest concentration of Madi's confirmed 800 victims is in Iran. The malware has claimed 387 victims in Iran and 54 in Israel, the duo report.

The trojan has been communicating with command-and-control servers hosted in Canada, Iran and, more recently, Azerbaijan. Madi allows remote hackers to steal sensitive files from infected Windows computers, monitor email and instant messages exchanges, record audio, log keystrokes, and take screenshots of victims' activities. Gigabytes of data were stolen over the last eight months.

Madi has emerged as the likely pathogen behind the malware-based attacks against Bank Hapoalim in Israel in Feb 2012.

Security experts are split over the likelihood or otherwise that a nation-state might be behind the attack.

"Targets like Iran, Israel, and Saudi Arabia might suggest involvement of a nation state, however our research has not found evidence that this is the case. Instead, the current research indicates these attacks are being conducted by an unknown Farsi-speaking hacker with a broad agenda," Symantec concludes.

However Seculert's Raff is more open to the state-backed possibility, while dismissing any possible suggestion that Madi might be the work of regular cybercrooks.

"It's unclear if it is state-sponsored or not. But it does look like a campaign which requires large investment or financial backing," Raff told El Reg. "This malware also records sound and steals 27 different file types. So, I find it unlikely that the motive is cybercrime."

"It is definitely suited for surveillance against the targeted entities," he concluded.

http://www.theregister.co.uk/2012/07/20/madi_cyberspy_analysis/



logo6_reasonably_small.pngtagline2.pnglogo6_reasonably_small.png


 
 

Coalde
(Login cwc.mgmt)
CWC Member

Re: Middle East officials targeted by cyber espionage 'Madi' attackers

July 25 2012, 11:41 AM 

Well it appears that this malware is quite unsophisticated and likely isn't part of any cyberwar against Iran or Israel...
Creators of Mahdi Spyware are an Embarrassment to Malware Makers Everywhere

The people behind the new "Mahdi," or "Madi," malware should be ashamed of themselves. Not for creating malware, but because Mahdi is embarrassingly ineffective, according to security researchers.

By Constantine von Hoffman, July 19, 2012

The creators of the malicious program "Madi" or "Mahdi," a new piece of malware that's currently targeting victims in the Middle East, have an unusual reason for keeping their identities secret: Their software is embarrassingly bad.

Seculert and Kaspersky Labs identified the program on Tuesday and you didn’t have to read too far between the lines to see that they were not impressed.

From Kaspersky:
  • The campaign relied on a couple of well known, simpler attack techniques to deliver the payloads, which reveals a bit about the victims online awareness.
  • The first of the two social-engineering schemes that define spreading activity for this surveillance campaign is the use of attractive images and confusing themes embodied in PowerPoint Slide Shows containing the embedded Madi trojan downloaders. An "Activated Content" PowerPoint effect enables executable content within these spear-phish attachments to be run automatically. These embedded trojan downloaders in turn fetch and install the backdoor services and related "housekeeping" data files on the victim system. One example, "Magic_Machine1123.pps", delivers the embedded executable within a confusing math puzzle PowerPoint Slide Show where the amount of math instructions may overwhelm a viewer. Note that while PowerPoint presents users a dialog that the custom animation and activated content may execute a virus, not everyone pays attention to these warnings or takes them seriously, and just clicks through the dialog, running the malicious dropper.
In other words, Kaspersky thinks the malware is ugly and only a threat to idiots. Kaspersky then backs up its opinion with the following screen shots:

[linked image][linked image][linked image]

Seculert called it, “Interesting, yet simple.” Interesting – that’s the word you use when you’re trying to be polite about something you loathe. As in, “Thomas Kinkade and Leroy Neiman were very … ummm … interesting painters.”

Here’s a quote from NetworkWorld.com:
It's not clear if this is a state-sponsored attack, Seculert's chief technology officer Aviv Raff said Tuesday via email. The Mahdi malware is not among the most complex cyberespionage threats ever found and, in fact, appears to have been written in a rush, he said.
Costin Raiu, director of Kaspersky Lab's global research and analysis team, told NetworkWorld that Mahdi is far less complex than recent attacks against Tibetan and Uighur activists. “At least those campaigns use some type of software exploits to install cyberespionage malware, whereas the Mahdi attackers relied solely on social engineering,” Raiu said.

Ouch.

http://blogs.cio.com/security/17248/creators-mahdi-spyware-are-embarrassment-malware-makers-everywhere



logo6_reasonably_small.pngtagline2.pnglogo6_reasonably_small.png



    
This message has been edited by cwc.mgmt on Jul 25, 2012 11:41 AM


 
 
 
  Respond to this message   
  << Previous Topic | Next Topic >>Return to Cyberwar Central  
Find more forums on SocietyCreate your own forum at Network54
 Copyright © 1999-2017 Network54. All rights reserved.   Terms of Use   Privacy Statement  
      free countersMember of The Internet Defense League   [Exchange Links with CWC]