The Madi campaign - Part II

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

The Madi campaign - Part II
Botnet Madi
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / July, 26 2012
Editor/Conference Kaspersky lab
Link http://www.securelist.com/en/blog/208193691/The Madi Campaign Part II (Archive copy)
Author Nicolas Brulez
Type

Abstract

our previous blogpost, we discussed the Madi campaign, uncovered through joint research with our partner Seculert.

In this blogpost, we will continue our analysis with information on the Madi infrastructure, communications, data collection, and victims.

The Madi infrastructure performs its surveillance operations and communications with a simple implementation as well. Five command and control (C2) web servers are currently up and running Microsoft IIS v7.0 web server along with exposed Microsoft Terminal service for RDP access, all maintaining identical copies of the custom, C# server manager software. These servers also act as the stolen data drops. The stolen data seems to be poorly organized on the server side, requiring multiple operators to log in and investigate the data per each of the compromised systems that they are managing over time.

The services at these IP addresses have been cycled through by the operators for unknown reasons. There does not appear to be a pattern to which malware reports to which server just yet. According to sinkhole data and other reliable sources, the approximate locations of Madi victims are distributed mainly within the Middle East, but some are scattered lightly throughout the US and EU. It seems that some of the victims are professionals and academia (both students and staff) running laptops infected with the Madi spyware, travelling throughout the world:

Bibtex

 @misc{Brulez2012BFR1070,
   editor = {Kaspersky lab},
   author = {Nicolas Brulez},
   title = {The Madi campaign - Part II},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2012},
   howpublished = {\url{http://www.securelist.com/en/blog/208193691/The_Madi_Campaign_Part_II}},
 }