Mahdi Trojan Employed in Middle Eastern Cyber Espionage

Wednesday, July 18, 2012



Researchers at security provider Seculert have discovered yet another cyber espionage tool being employed in targeted attacks in several Middle Eastern nations.

The Mahdi Trojan is designed to engage in data harvesting activities on infected systems, including the content of emails, instant messaging, as well as logging keystrokes, taking screenshots, and recording audio.

The malware was uncovered by Seculert researchers after the team analyzed an email being used in a targeted spear-phishing operation.

"Our Research Lab had identified a suspicious email which included a fake word document attachment. Opening the attached file executed a malware dropper, and a "mahdi.txt" file which contained and opened a real word document. The content of the document was an article discussing Israel vs. Iran electronic warfare," Seculert stated.

Unlike other recently discovered data harvesting tools such as the Flame malware, some of the Mahdi code includes text written in Farsi, the predominant language of the Persian culture, and the term "Mahdi" is derived from an Islamic term equivalent to "messiah".

"Seculert's Research Lab began examining the malware communication with the command-and-control (C&C) server. Interestingly, we found that the communication, and several of the server side components, included strings in Farsi as well as dates in the Persian calendar format," the researchers noted.

The trojan covertly communicates with the malware's Command and Control (C&C) servers by way of a spoofed webpage designed to look like a common Google page, leaving the victims of the attack unaware of the infection.

"The actual module code is base64 encoded and hidden within the HTML of the Google like web page," Seculert explained.

The C&C was traced to North America, but earlier versions of the malware were found to have originally communicated with servers in Iran.

"The variant we examined communicated with a server located in Canada. We were able to track variants of the same malware back to December 2011. Back then, the malware communicated with the same domain name, but the server was located in Tehran, Iran."

By using Sinkhole and advanced data analytics techniques, Seculert has thus far been able to identify more than eight-hundred infected systems that have been communicating with four C&C servers for the better part of the last year.

The researchers were curious to discover if the Mahdi malware was in any way connected to the recently discovered Flame malware, which in function behaves in a similar fashion by extracting sensitive data and targeting similar entities.

"We contacted Kaspersky Lab in order to investigate possible similarities between Flame and Mahdi... While we couldn't find a direct connection between the campaigns, the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries," Seculert stated.

While the origin of the Mahdi is still a mystery, Seculert researchers believe that elements of the attacks indicate that the operation would likely require funding and expertise similar to those found in state-sponsored initiatives like Flame.

"It is still unclear whether this is a state-sponsored attack or not. The targeted organizations seem to be spread between members of the attacking group by giving each victim machine a specific prefix name, meaning that this operation might require a large investment and financial backing," Seculert concluded.


Possibly Related Articles:
Viruses & Malware
Trojans malware Headlines spear-phishing Targeted Attacks Cyber Espionage Middle East Seculert Mahdi
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.