Introduction
Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East. Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.
Activities and Tactics
Targeted Sectors: Infrastructure, Engineering, Government, Administration, Finance, Government, Private sector
Country of Origin: 🇮🇷 Iran
Risk Level: High
First Seen: 2012
Last Activity: 2012
Incident Type: Espionage
Suspected Victims: Iran, Pakistan, Israel, United States
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- CrossRat
Attribution and Evidence
Country of Origin: Iran Additional attribution information pending cataloguing.
References
References pending cataloguing.