Mahdi cyberespionage malware infects computers in Iran, Israel, other Middle Eastern countries

Security researchers from Kaspersky Lab and Seculert discover new cyberespionage operation targeting Middle Eastern countries

A piece of malware called Mahdi or Madi has been used to spy on hundreds of targets from Iran, Israel and a few other Middle Eastern countries during the past eight months, according to researchers from security vendors Seculert and Kaspersky Lab.

Mahdi is capable of logging keystrokes, taking screenshots at specified intervals, recording audio and stealing a variety of documents, images, archives and other files, Kaspersky Lab researchers said in a blog post on Tuesday.

Its name comes from a file called mahdi.txt that gets dropped on infected computers. According to Islamic beliefs, Mahdi is a Messianic figure who will rule the world before Judgment Day and will cleanse it of injustice and wrongdoing.

Seculert discovered the Mahdi malware several months ago while investigating a suspicious email message with a fake document attached, the company's researchers said Tuesday in a blog post.

The company shared its findings with Kaspersky Lab in order to determine if Mahdi shares any similarities to Flame, a highly sophisticated cyberespionage threat that also targeted organizations from Iran and the Middle East.

The two companies worked together to redirect the malware's traffic to a server under their control -- an operation called sinkholing -- and analyze it. This allowed them to identify over 800 victims, most of them located in Iran and Israel.

"Large amounts of data collection reveal the focus of the campaign on Middle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia," the Kaspersky researchers said. "Individuals within this victim pool and their communications were selected for increased monitoring over extended periods of time."

The Mahdi malware is distributed via rogue emails that use basic social engineering techniques to trick recipients into opening specially crafted PowerPoint files.

The malware installer is embedded inside these files and gets executed if users agree to a PowerPoint security warning alerting them about the security risks associated with loading inserted objects.

It's not clear if this is a state-sponsored attack, Seculert's chief technology officer Aviv Raff said Tuesday via email. The Mahdi malware is not among the most complex cyberespionage threats ever found and, in fact, appears to have been written in a rush, he said.

However, "the targeted entities are spread within the members of the attack group, which might suggest that this attack requires large investment or financial backing," Raff said.

This attack campaign was implemented with limited and rudimentary technology, said Costin Raiu, director of Kaspersky Lab's global research and analysis team.

As far as complexity goes, the Mahdi attack would rank lower than the recent attacks against Tibetan and Uighur activists, Raiu said. At least those campaigns use some type of software exploits to install cyberespionage malware, whereas the Mahdi attackers relied solely on social engineering, he said.

The Mahdi samples analyzed by Seculert and Kaspersky attempted to communicate with four different command and control servers -- three of them located in Canada and one in Iran's capital, Tehran.

There's no definitive proof of the malware's origin yet. However, the presence of a command and control server in Tehran could suggest that the attackers are Iranian, especially since other clues found in the malware indicate that they are fluent in Farsi and use dates in the Persian calendar format, Raff said.

The fact that these attackers managed to infect hundreds of targets despite the simplicity of the techniques used is a bit puzzling, Raiu said. Every serious antivirus product should be able to catch and block this malware, he said.

It probably means that the victims were not using the right security products, Raff said. "As the attack is still active the number [of victims] will probably get higher."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?