OPSWAT Blog

Kaspersky Continues to Research Madi Trojan

Posted by elisse / August 1, 2012

The discovery of a new piece of malware was announced in mid-July by Kaspersky Lab, one of OPSWAT’s Metascan Engine Partners. The malware, called Trojan.Win32.Madi or “Madi”, was first detected by Seculert, an Advanced Threat Detection company, who then worked with Kaspersky to investigate Madi’s role in an active cyber-espionage attack targeting critical infrastructural projects in Middle Eastern engineering, financial, and government organizations. Over an eight month period, Kaspersky and Seculert’s joint investigation found over 800 victims in locations globally, mostly centered in Iran and Israel.

About a week after Kaspersky's Madi announcement, a new variant of the malware surfaced, which according to Kaspersky's researchers is very similar to the original code. This new variant, however, has been traced to a server in Montreal, whereas the original discovery was thought to be linked to Iran.

Although the Madi Trojan is “amateurish” by Kaspersky’s reports and simple when compared with other recent malware such as Stuxnet and Flame, the malware has successfully collected sensitive data over a sustained time period. Kaspersky noted that the malware also stands out because of the unusual presence of Persian strings in the code, indicating that the attackers were fluent in that language.

Despite recent discoveries of new variants and continued investigation of Madi, there is no solid evidence as to who the authors of the malware may be.