The Mahdi malware publicized in July has now spread its list of targets to organizations in the United States.
According to Seculert, since June, Mahdi has been able to successful target more than 150 new victims around the world, including some tied to the U.S. and Germany. The latest round of victims brings the total to about 1,000, the largest percentage of which is located in Iran.
In the past few weeks, the company said it has monitored dozens of new variants of Mahdi that are going undetected by many antivirus vendors. According to the company, the group behind the malware appears to be testing new and improved versions in order to find new ways to evade detection.
Aviv Raff, CTO of Seculert, said he was surprised that Mahdi has continued to circulate months after being so highly publicized.
"This tells us that the attackers are still doing a very effective job with this surveillance malware," he said.
The latest victims, Raff said, may be getting targeted because they are individuals or companies in the Middle East with connections to the U.S.
"Those victims are either travelling a lot to the U.S., or are actually based in the U.S.," he said.
Also spelled "Madi," the malware works to steal data from infected Windows computers. It is capable of monitoring email and instant messages, recording audio, capturing keystrokes and taking screen shots of infected computers. Previously, researchers at Seculert and Kaspersky Lab used a sinkhole to identify 800 victims who had communicated with four command-and-control servers in Canada.
The majority of the victims were in Iran, and many were found to be businesspeople working on Iranian and Israeli critical-infrastructure projects, Israeli financial institutions, Middle East engineering students or various government agencies in the region. All totaled, multiple gigabytes of data are believed to have been uploaded from victims' computers, researchers have said.
Seculert recently investigated a fifth command-and-control server located in Canada and discovered that different versions of the malware had been communicating with the server since June and that the server seems to have replaced the original server the company spotted back in February.