Russian cybersecurity firm Kaspersky Labs and Israeli cybersecurity outfit Seculert have identified a new type of phishing malware called “Mahdi” affecting at least 800 computers throughout the Middle East and parts of Central Asia, with most infected machines detected in Iran, the firms reported Tuesday.
The malware, named “Mahdi” or “Madi” after strings of code referencing a prophesized Islamic messiah figure, is notable for its delivery mechanisms, among them email attachments of a religious-themed PowerPoint writted in English and Farsi, which includes references to Moses, a separately attached image (in a text file) of what appears to be Jesus, as well as another attached text file containing a November 2011 article from The Daily Beast entitled “Israel’s Secret Iran Attack Plan: Electronic Warfare”.
Here are images of the religious-themed PowerPoint containing the Mahdi download program posted online by Kaspersky:
And here’s a screengrab of The Daily Beast article that is included in some phishing emails as a .txt file attachment:
When opened or clicked, the infected files installed the Mahdi malware, which includes at least nine different espionage capabilities, according to Kaspersky: keylogging, timed screenshot captures, remote controlled screenshots through Web chat clients such as Skype, audio recording, data retrieval, disk retrieval, disk access, delete functionality and backdoor access updates, to allow the attackers to inflitrate the machine even if the malware is found.
The malware communicated with servers in Canada and in Tehran, Iran, according to Seculert.
Seculert said it did not have any evidence so far that the new Mahdi malware was related to the “Flame” information-stealing malware found on computers in the Middle East, mainly Iran, in late May, nor was there any connection yet between “Flame’s” cousin, the infamous “Stuxnet” worm reported to have caused physical damage to Iranian nuclear plant equipment in 2010.
The firms aren’t even sure if the Madhi malware is part of a state-sponsored campaign or not, yet. Kaspersky notes that the coding language used, Delphi, is more characteristic of amateurs or a rushed job.
But the malware is clearly concentrated in Iran, as seen from the following map of the number of infected computers detected by country:
Further, Seculert pointed out that the targets of the Mahdi malware are certainly high-profile, including “critical infrastructure companies, financial services and government embassies.” Critical infrastructure generally refers to services like power plants, water treatment facilities, public transportation and other utilities critical to organized municipal functioning.
Iran’s government has yet to respond to the reports, but earlier in June, the country’s intelligence minister accused the United States and Israel of deploying a new wave of malware against the country’s nuclear facilities, following failed diplomatic talks on curbing Iran’s nuclear program in Moscow, Russia.