Madi Malware: Advanced Persistent Threat Or Just A Threat?

Security researchers are calling Madi an example of an advanced persistent threat, but what makes an APT an APT?

Earlier this week, security researchers at
Kaspersky Lab and Seculert
reported the presence of a cyber-espionage tool known as Madi (also spelled Mahdi). The malware was quickly added to a growing list of Trojans that fall under the umbrella of advanced persistent threats (APTs).
However, there were some things about Madi that werent very advanced at all, raising the question about just what constitutes an APT.
We see many attacks from APT where the A really isnt applicable, says Roel Schouwenberg, senior researcher at Kaspersky, who added he does not like the term APT because of the confusion it causes. [These attacks are] persistent, but thats about it. But as we can see, like with Madi, persistence by itself will still get you somewhere.
The Madi attacks qualify as APT, however, because they are also go after industrial designs, meaning there is IP theft, he said. Once on a system, Madi is capable of not only stealing data from infected Windows machines, but also monitoring email and instant messages, recording audio, capturing keystrokes, and taking screenshots of victims computers. Researchers at Seculert and Kaspersky worked in concert to sinkhole the malwares command and control servers and analyze eight months of the campaign. Their efforts uncovered a targeted attack campaign with more than 800 victims in Iran, Israel, and other countries from around the globe.
Many of the victims were discovered to be businesspeople working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, or various government agencies in the region. All totaled, multiple gigabytes of data are believed to have been uploaded from victims computers.
To infect computers, the attackers relied on social engineering ploys designed to get users to open up PowerPoint slideshows containing the malicious file. Unlike Flame and Stuxnet, the attack did not rely on any zero-day exploits, and no evidence has been made public so far linking it to a nation-state.
The notable differences between APTs and common cyber-crimes are focus and patience, explains Richard Wang, director of North America SophosLabs, the research arm of Sophos. APTs focus on a particular target as opposed to attacking many in the hopes of success, he said.
The additional resources of an APT attacker can provide them with tools that are unavailable to common attackers, for example the certificate compromises and zero-day vulnerabilities we have seen used, Wang says. However some of the other tools they use can be those of more common attackers when trying to navigate a target network.
Aviv Raff, CTO of Seculert, agrees that the same tools are sometimes used by both types of attackers, but added that APT attackers also use their own custom-made malware for their operation. Opportunistic hackers on the other hand tend to use malware kits and not invest in development, he said.
In the case of Madi, the P in APT -- persistent -- is the key factor, he argues.
If the attack went under the radar for long enough time it should be considered APT ... The focus in APT is not always the motive, but rather the ability to have a stealth and successful attack over a long period of time, he says.
Unfortunately, the term APT is used to describe multiple different types of threats and there is no agreed upon exact definitions, says Liam O Murchu, manager of operations at Symantec Security Response.
Originally, it was coined to describe targeted attacks that used zero day vulnerabilities -- often in PDFs and other document formats -- that tried to stay undetected while siphoning intellectual property out of infected networks, he says. However, the term has since been used to describe all sorts of threats doing all sorts of things. Due to this, the term APT can mean many different things depending on who is using it and what their definition is.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps