Mahdi Malware Takes Aim at Iran as Cyber-Espionage Continues

The simple information-stealing Mahdi malware does not rely on attacking software vulnerabilities but by fooling humans. Still, it's infected some 800 systems, about half of which are in Iran.

By: Robert Lemos

A simple information-stealing program infiltrated about 800 computers in several Middle Eastern countries, but appears to have focused on Iran, according to analyses released July 17.

The malware, dubbed Mahdi, appears to be unrelated to Stuxnet, Duqu and Flame-three other well-known attacks targeted Iran, among other countries. While those attacks relied on the exploitation of software vulnerabilities, Mahdi fools users into opening an attached document and infects their computer. In one case, the attackers used an article about cyber-attacks on Iran, while in another case, the attackers used PowerPoint games and puzzles to fool users.

"These guys are successful but they are using very basic techniques," said Roel Schouwenberg, senior researcher at Kaspersky Lab, one of the companies that analyzed the attack. "It's scary that they are still so successful using these techniques."

The attackers focused on critical infrastructure engineering firms, government agencies, financial houses and academic organizations in the Middle East, according to Kaspersky. The company, along with its research partner Seculert, sifted through data found on one server to determine which victims had been affected.

Once a system was infected with Mahdi, which was named after files found in the malware, attackers had a number of options, such as keylogging, taking periodic screenshots and recording audio.

In total, the simple social engineering resulted in the computers of 800 victims being infected with the malware. Kaspersky and Seculert were able to reroute the infected systems communications and discovered that nearly 45 percent of the victims were located in Iran, another 7 percent in Israel, and less than 2 percent in Afghanistan.

Several characteristics of the malware suggest that the developer was Iranian. The command-and-control server included dates in the Persian calendar format and several strings in Farsi, a dialect of Persian most common in Iran. The malware uploaded data and received commands from a controller at a specific domain name, which was first assigned to a server in Canada and then to a server in Tehran.

The two companies are still searching through data and attempting to find clues as to the attacker's aims, says Kaspersky's Schouwenberg.

"We have been sifting through the data to get a better idea of the operation," said Schouwenberg. "The operation is still ongoing, so in a few days we may have more on that."

An Israeli bank, which was hit in February, believes that the Mahdi malware is responsible, said Schouwenberg.

In its own analysis of the threats, Symantec suggests the attack may be focused more on information systems in the United States and Israel. Targets include oil companies, U.S. policy think tanks, a foreign consulate, and other government agencies, the company stated. The security firm's data puts 72 percent of infections in Israel and 4 percent in the United States, but the data may be impacted by Symantec's customer base.

"Targets like Iran, Israel, and Saudi Arabia might suggest involvement of a nation state, however our research has not found evidence that this is the case," according to a Symantec blog post. "Instead, the current research indicates these attacks are being conducted by an unknown Farsi-speaking hacker with a broad agenda."