Mahdi cyberespionage malware infects computers in Iran, Israel, other Middle Eastern countries

Security researchers from Kaspersky Lab and Seculert discover new cyberespionage operation targeting Middle Eastern countries

A piece of malware called Mahdi or Madi has been used to spy on hundreds of targets from Iran, Israel and a few other Middle Eastern countries during the past eight months, according to researchers from security vendors Seculert and Kaspersky Lab.

Mahdi is capable of logging keystrokes, taking screenshots at specified intervals, recording audio and stealing a variety of documents, images, archives and other files, Kaspersky Lab researchers said in a blog post on Tuesday.

Its name comes from a file called mahdi.txt that gets dropped on infected computers. According to Islamic beliefs, Mahdi is a Messianic figure who will rule the world before Judgment Day and will cleanse it of injustice and wrongdoing.

Seculert discovered the Mahdi malware several months ago while investigating a suspicious email message with a fake document attached, the company's researchers said Tuesday in a blog post.

The company shared its findings with Kaspersky Lab in order to determine if Mahdi shares any similarities to Flame, a highly sophisticated cyberespionage threat that also targeted organizations from Iran and the Middle East.

The two companies worked together to redirect the malware's traffic to a server under their control -- an operation called sinkholing -- and analyze it. This allowed them to identify over 800 victims, most of them located in Iran and Israel.

"Large amounts of data collection reveal the focus of the campaign on Middle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia," the Kaspersky researchers said. "Individuals within this victim pool and their communications were selected for increased monitoring over extended periods of time."

The Mahdi malware is distributed via rogue emails that use basic social engineering techniques to trick recipients into opening specially crafted PowerPoint files.

The malware installer is embedded inside these files and gets executed if users agree to a PowerPoint security warning alerting them about the security risks associated with loading inserted objects.

It's not clear if this is a state-sponsored attack, Seculert's chief technology officer Aviv Raff said Tuesday via email. The Mahdi malware is not among the most complex cyberespionage threats ever found and, in fact, appears to have been written in a rush, he said.

However, "the targeted entities are spread within the members of the attack group, which might suggest that this attack requires large investment or financial backing," Raff said.

This attack campaign was implemented with limited and rudimentary technology, said Costin Raiu, director of Kaspersky Lab's global research and analysis team.

As far as complexity goes, the Mahdi attack would rank lower than the recent attacks against Tibetan and Uighur activists, Raiu said. At least those campaigns use some type of software exploits to install cyberespionage malware, whereas the Mahdi attackers relied solely on social engineering, he said.

The Mahdi samples analyzed by Seculert and Kaspersky attempted to communicate with four different command and control servers -- three of them located in Canada and one in Iran's capital, Tehran.

There's no definitive proof of the malware's origin yet. However, the presence of a command and control server in Tehran could suggest that the attackers are Iranian, especially since other clues found in the malware indicate that they are fluent in Farsi and use dates in the Persian calendar format, Raff said.

The fact that these attackers managed to infect hundreds of targets despite the simplicity of the techniques used is a bit puzzling, Raiu said. Every serious antivirus product should be able to catch and block this malware, he said.

It probably means that the victims were not using the right security products, Raff said. "As the attack is still active the number [of victims] will probably get higher."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place