Mass Online Spying Campaign Hitting Middle East

A widespread online spying campaign has infected over 800 machines across the Middle East, many of which belonged to individuals working on Iranian and Israeli critical infrastructure projects, according to two security vendors.

Employees of Israeli financial institutions, Middle Eastern engineering students and various government agencies communicating in the Middle East were also hit by the “Madi” attacks, Kaspersky and Seculert found. The campaign has been going on for almost a year.

The Trojan used by the attackers allowed them to steal confidential files from infected Windows machines. It was also used to spy on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+ and Facebook accounts, whilst recording keystrokes and taking screenshots from people’s computers. Multiple gigabytes of data were pilfered from victims’ computers, Kaspersky said.

You must be Madi!

The Madi malware is not as sophisticated as other cyber espionage toolkits such as Flame, or other kit like Stuxnet, which was able to directly disrupt Iranian nuclear infrastructure. Nor does it take advantage of any zero-day vulnerabilities.

All backdoors used in the Madi operation were written in Delphi, which again hinted that the programmers were not highly technically proficient, or they were “developers in a rushed project”, Kaspersky said. Nevertheless, their method was effective.

“While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims,” said Nicolas Brulez, senior malware researcher at Kaspersky Lab. “Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection.”

The attackers used basic social engineering tricks to get the Madi Trojan onto systems, pushing attractive images and baffling written content in PowerPoint Slide Shows with attached malware downloaders.

They also sent targets what appeared to be data files, such as .jpg images or PDF files, but were in fact executables that were activated as soon as they were clicked on.

Kaspersky warned in a blog post that the campaign remained in operation, even though Kaspersky has helped set up a sinkhole, where infected machines were going through its servers rather than those on the attackers’ command and control servers. “We are working with various organisations to clean up and prevent further infections,” the Russian firm added.

Seculert said it was “unclear whether this is a state-sponsored attack or not” and that there did not appear to be a link to Flame, which is believed to have been created by the same US-Israeli team which made Stuxnet. “The targeted organisations seem to be spread between members of the attacking group by giving each victim machine a specific prefix name, meaning that this operation might require a large investment and financial backing,” a blog post from the firm read.

Are you a security boff? Try our quiz!