New Madi instance and “AC/DC” virus, Middle East as shooting range

Pierluigi Paganini July 26, 2012

The Middle East has always been considered an area of the planet’s turbulent for the continuing conflict and political tensions among the states that inhabit it. In the last two years, the tensions seem to have intensified and with it has grown the diffusion of malware for cyber espionage and for offensive purposes. In the eyes of the world time zero is represented by the spread of the virus Stuxnet developed by U.S. and widespread in Iran with the intent to interfere with the country’s nuclear program.

In the following months there were findings of new malicious agents of unknown paternity that have hit the same area, we cannot forget the Duqu and the theory of the Tilded platform and also the Flame malware.

But every place in the world is attacked daily by malware, why we are discussing of Middle East?

Well, in this area the number of malware that have been developed for state sponsored projects represent surely an anomaly. All the example provided are evidence of the intent of governments to hit its enemies in the cyber space to steal sensible information or to destroy their critical infrastructures.

Exactly one week ago thanks to the investigation of the team of Kaspersky lab and its partner Seculert firm have discovered an ongoing campaign to conduct a large scale infiltration of computer systems in the Middle East area. The campaign has targeted individuals across several states of the area such as Iran, Afghanistan and also Israel.

The operation discovered has been named “Madi” due the presence of certain strings used by the attackers.

Kaspersky Lab and Seculert have isolated the agents and identified the Madi Command & Control (C&C) servers, identifying more than 800 victims located in Middle East area and other select countries across the globe.

The Madi malware enables remote attackers to steal sensitive files from infected Windows computers, monitor all the activities of infected machines, first investigations suggest that multiple gigabytes of data have been stolen, according the experts  the campaign start seems dated at least 8 months.

What’s new in the last version detected?

It contains many interesting improvements and also new features. It now has the ability to monitor VKontakte, the major Russian social network, and it is also able to spy on Jabber conversation.

The malware is also able to work silently monitoring user navigation on specific web sites that contains specific keyworkds such as:

“gmail”, “hotmail”, “yahoo! mail” , “google+”, “msn messenger”, “blogger”, “massenger”, “profile”, “icq” , “paltalk”, “yahoo! messenger for the web”,”skype”, “facebook” ,”imo”, “meebo”, “state” , “usa” , “u.s”,”contact” ,”chat” ,”gov”, “aol”,”hush”,”live”,”oovoo”,”aim”,”msn”,”talk”,”steam”,”vkontakte”,”hyves”, “myspace”,”jabber”,”share”,”outlook”,”lotus”,”career”

Once the agent notes that user visit one of the monitored sites it takes screenshots and  upload them to the control server.

Even if the keylogger functionality is the same of the older version, new variant has various changes, the most meaningful is the behavior of the info stealer that no longer waits for “commands” from the C2 instead, it simply uploads all stolen data to the control server right away.

Where are located the new command and control server?

Kaspersky team has localized them still in Montreal meanwhile previous servers were also located in Tehran.

Well it’s clear that operation are still continuing despite the discovery of the malware, the campaign has the unique intent to collect the largest amount of information possible.

It’s not clear who is behind the attack but is evident that the campaign is state-sponsored with cyber espionage intents.

But as introduced in the title of the post the Middle East is becoming shooting range for malware diffusion, as mentioned I refer of course of state sponsored attacks that demonstrate the increasing interest in cyber warfare of governments.

Another news has recently alerted the international security community, a scientist working at the Atomic Energy Organisation of Iran (AEOI) declared that computer systems have been hit by a new cyber-attack.

This new attack is really singular because it forced computers to play AC/DC’s Thunderstruck at full volume in the middle of the night.

F-Secure was the first security firm informed of the attack, it has in fact received an  email from AEOI that recited:

“I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.

According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert.

There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing ‘Thunderstruck’ by AC/DC.”

Why the attacker would have to make noise?

I find only two simple explanations:

  • it is a diversionary operation that is trying to cover a new real attack. It could be also used to test the enemy defense trying to discovery the potential impact of a new malware.
  • the malware has been developed by non-government team, it could be also the opera of isolated group of hackers, any way to give a valid judgment are necessary more info on the event.

The diffusion of malware in the Middle East area must be considered a serious phenomenon for several reason, let’s consider that cyberspace has no boundaries and the effect of a malware in not limited to a specific area, Stuxnet gives us a great example. Are we really ready to mitigate these cyber weapons escaped the control?

For sure we are still too vulnerable to consider ourselves at secure.

Second remarkable aspect is the risk that these agents could be reverse engineered to create new variant more aggressive starting from the original malware.

The operations could be performed by governments but don’t forget the increasing phenomenon of cyber terrorism.

As stated several times we are in the middle of a cyber war!

Pierluigi Paganini



you might also like

leave a comment