The other day, a new piece of malware, dubbed “Mahdi'”, was discovered on various computers in the middle east. Seculert reported on it the other day on their blog, saying that they had stumbled on it a few months ago. A piece of spam arrived into their labs (by way of a honeypot?) with a malware attachment and a file called mahdi.txt.
The content of the document was an article discussing Israel vs. Iran electronic warfare (see Figure 1).
The blog post goes on to say the following:
In May of 2012 Kaspersky Lab announced that they had discovered a highly sophisticated, malicious program that is actively being used as a cyber weapon to target entities in several countries. Named Flame, the malware was designed to carry out cyber espionage and is believed to exceed the complexity and functionality of other known attacks. We contacted Kaspersky Lab in order to investigate possible similarities between Flame and Mahdi. We collaborated in the weeks that followed, with Kaspersky keeping a close eye on how the malware affected infected endpoints and Seculert analyzing the communication between the malware and the C&C servers. By using a Sinkhole and Seculert's big data analytics technology, we were able to identify over 800 victims, communicating with four different C&C servers over a period of eight months. While we couldn't find a direct connection between the campaigns, the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries.
In May of 2012 Kaspersky Lab announced that they had discovered a highly sophisticated, malicious program that is actively being used as a cyber weapon to target entities in several countries. Named Flame, the malware was designed to carry out cyber espionage and is believed to exceed the complexity and functionality of other known attacks.
We contacted Kaspersky Lab in order to investigate possible similarities between Flame and Mahdi. We collaborated in the weeks that followed, with Kaspersky keeping a close eye on how the malware affected infected endpoints and Seculert analyzing the communication between the malware and the C&C servers. By using a Sinkhole and Seculert's big data analytics technology, we were able to identify over 800 victims, communicating with four different C&C servers over a period of eight months.
While we couldn't find a direct connection between the campaigns, the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries.
First Stuxnet. Then Duqu. Then Flame. Now… Mahdi?
Immediately when we see all the malware infections throughout the middle east, we start wondering who is behind the attacks. Reports Lucian Constantin on PC World:
The Mahdi samples analyzed by Seculert and Kaspersky attempted to communicate with four different command and control servers -- three of them located in Canada and one in Iran's capital, Tehran. There's no definitive proof of the malware's origin yet. However, the presence of a command and control server in Tehran could suggest that the attackers are Iranian, especially since other clues found in the malware indicate that they are fluent in Farsi and use dates in the Persian calendar format, Raff said.
The Mahdi samples analyzed by Seculert and Kaspersky attempted to communicate with four different command and control servers -- three of them located in Canada and one in Iran's capital, Tehran.
There's no definitive proof of the malware's origin yet. However, the presence of a command and control server in Tehran could suggest that the attackers are Iranian, especially since other clues found in the malware indicate that they are fluent in Farsi and use dates in the Persian calendar format, Raff said.
David Shamah, writing on ZDNet, writes the following:
…Mahdi appears to be far less sophisticated than Flame: in one of its permutations, for example, users are asked to click on what appears to be a JPEG, but is really an executable .scr file -- a trick many users are likely to spot. The Trojan, which has affected computers in the Middle East and beyond, appears to be targeting Israeli users, with the messages it carries written in (very poorly-written) Hebrew. … The Mahdi Trojan may or may not have been designed in Iran: it apparently includes strings in Farsi as well as dates in the Persian calendar format.
…Mahdi appears to be far less sophisticated than Flame: in one of its permutations, for example, users are asked to click on what appears to be a JPEG, but is really an executable .scr file -- a trick many users are likely to spot.
The Trojan, which has affected computers in the Middle East and beyond, appears to be targeting Israeli users, with the messages it carries written in (very poorly-written) Hebrew.
…
The Mahdi Trojan may or may not have been designed in Iran: it apparently includes strings in Farsi as well as dates in the Persian calendar format.
I have some theories and my own analysis:
If this attack is state sponsored, then we are now in the early stages of cyber espionage where everyone is getting into the act. For the second act, they will need to become better at concealing their malware from detection.