The Madi campaign - Part II
(Publication) Google search: [1]
The Madi campaign - Part II | |
---|---|
Botnet | Madi |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / July, 26 2012 |
Editor/Conference | Kaspersky lab |
Link | http://www.securelist.com/en/blog/208193691/The Madi Campaign Part II (Archive copy) |
Author | Nicolas Brulez |
Type |
Abstract
“ our previous blogpost, we discussed the Madi campaign, uncovered through joint research with our partner Seculert.
In this blogpost, we will continue our analysis with information on the Madi infrastructure, communications, data collection, and victims.
The Madi infrastructure performs its surveillance operations and communications with a simple implementation as well. Five command and control (C2) web servers are currently up and running Microsoft IIS v7.0 web server along with exposed Microsoft Terminal service for RDP access, all maintaining identical copies of the custom, C# server manager software. These servers also act as the stolen data drops. The stolen data seems to be poorly organized on the server side, requiring multiple operators to log in and investigate the data per each of the compromised systems that they are managing over time.
The services at these IP addresses have been cycled through by the operators for unknown reasons. There does not appear to be a pattern to which malware reports to which server just yet. According to sinkhole data and other reliable sources, the approximate locations of Madi victims are distributed mainly within the Middle East, but some are scattered lightly throughout the US and EU. It seems that some of the victims are professionals and academia (both students and staff) running laptops infected with the Madi spyware, travelling throughout the world:
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1070, editor = {Kaspersky lab}, author = {Nicolas Brulez}, title = {The Madi campaign - Part II}, date = {Error: Invalid time.}, month = Error: Invalid time., year = {2012}, howpublished = {\url{http://www.securelist.com/en/blog/208193691/The_Madi_Campaign_Part_II}}, }