Mahdi cyberespionage malware infects computers in Iran, Israel, other Middle Eastern countries
Security researchers from Kaspersky Lab and Seculert discover new cyberespionage operation targeting Middle Eastern countries
IDG News Service - A piece of malware called Mahdi or Madi has been used to spy on hundreds of targets from Iran, Israel and a few other Middle Eastern countries during the past eight months, according to researchers from security vendors Seculert and Kaspersky Lab.
Mahdi is capable of logging keystrokes, taking screenshots at specified intervals, recording audio and stealing a variety of documents, images, archives and other files, Kaspersky Lab researchers said in a blog post on Tuesday.
Its name comes from a file called mahdi.txt that gets dropped on infected computers. According to Islamic beliefs, Mahdi is a Messianic figure who will rule the world before Judgment Day and will cleanse it of injustice and wrongdoing.
Seculert discovered the Mahdi malware several months ago while investigating a suspicious email message with a fake document attached, the company's researchers said Tuesday in a blog post.
The company shared its findings with Kaspersky Lab in order to determine if Mahdi shares any similarities to Flame, a highly sophisticated cyberespionage threat that also targeted organizations from Iran and the Middle East.
The two companies worked together to redirect the malware's traffic to a server under their control -- an operation called sinkholing -- and analyze it. This allowed them to identify over 800 victims, most of them located in Iran and Israel.
"Large amounts of data collection reveal the focus of the campaign on Middle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia," the Kaspersky researchers said. "Individuals within this victim pool and their communications were selected for increased monitoring over extended periods of time."
The Mahdi malware is distributed via rogue emails that use basic social engineering techniques to trick recipients into opening specially crafted PowerPoint files.
The malware installer is embedded inside these files and gets executed if users agree to a PowerPoint security warning alerting them about the security risks associated with loading inserted objects.
It's not clear if this is a state-sponsored attack, Seculert's chief technology officer Aviv Raff said Tuesday via email. The Mahdi malware is not among the most complex cyberespionage threats ever found and, in fact, appears to have been written in a rush, he said.
However, "the targeted entities are spread within the members of the attack group, which might suggest that this attack requires large investment or financial backing," Raff said.
This attack campaign was implemented with limited and rudimentary technology, said Costin Raiu, director of Kaspersky Lab's global research and analysis team.
As far as complexity goes, the Mahdi attack would rank lower than the recent attacks against Tibetan and Uighur activists, Raiu said. At least those campaigns use some type of software exploits to install cyberespionage malware, whereas the Mahdi attackers relied solely on social engineering, he said.
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- HTTP Status Code Cheat Sheet Look at the Graph, Find the Code and Boom - You're Solving Problems. Identifying and understanding common HTTP status codes can go a...
- Architects lead the next generation of data-driven applications Read this whitepaper to find out how application architects can quickly and confidently deliver long-lasting applications that minimize cost, complexity, and risk while...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Desktop Apps White Papers | Webcasts