Madi Trojan Continues after getting Upgraded

Madi the malicious program known to have been used for spying assaults on targets inside Israel and Iran during the 3rd-week of July 2012 has been detected as continuing to be active. This follows even after disabling its command-and-control (C&C) server, which however, the Madi controllers revived on 25th July 2012 with one fresh and improved C&C, state security researchers from Kaspersky the security company.

Explaining the nature of the new Madi version, Nicolas Brulez, security researcher at Kaspersky Lab said that it directly transmitted the entire cache of data after stealing the same from infected PCs to the C&C system even before the server issued the related instructions. This was different from the usual process that the original Madi version too imbibed, he added. Threatpost.com published this dated July 26, 2012.

Brulez also said that according to new research, prior to beginning its espionage operations, the Madi spying malware remained inactive for a full 2-day period.

Overall Kaspersky experts indicated that the fresh Madi variant had enhanced espionage abilities, which enabled its controllers to intercept conversations, particularly on the Jabber Instant Messenger as also communications on VKontakte, the European Internet site for social networking.

Additionally, the location of the latter C&C is Montreal, Canada, while the earlier one too had been within Canada alongside in the Iranian capital of Tehran.

Intriguingly, Madi gets implanted via PowerPoint and text files depicting religious topics and dispatched to specific targets.

Still interesting about the Trojan is that it hunts for Web-surfers trying to access URLs with "gov" or "USA" within their Titles. Then it would take screenshots for transmitting them onto the C&C network. Brulez deduces that this extra verification for "gov" and "USA" likely suggests that the malware is moving away from Israeli targets to American. Ibtimes.co.uk published this dated July 26, 2012.

Reportedly, the initial Madi's discoverers were Kaspersky and Seculert both security firms. Moreover, by now, the Trojan has captured several GBs of data out of victimized end-users' PCs. And while its source presently is not known, according to vendors, the latest assault by it in 2012 is probably government funded.

Related article: Media Players Are Seriously Flawed

» SPAMfighter News - 8/3/2012