Mahdi Malware Takes Aim at Iran as Cyber-Espionage Continues - Security - News & Reviews - eWeek.com | eWeek

Mahdi Malware Takes Aim at Iran as Cyber-Espionage Continues

Written By
eweekdev
eweekdev
Jul 20, 2012
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

By: Robert Lemos

A simple information-stealing program infiltrated about 800 computers in several Middle Eastern countries, but appears to have focused on Iran, according to analyses released July 17.

The malware, dubbed Mahdi, appears to be unrelated to Stuxnet, Duqu and Flame-three other well-known attacks targeted Iran, among other countries. While those attacks relied on the exploitation of software vulnerabilities, Mahdi fools users into opening an attached document and infects their computer. In one case, the attackers used an article about cyber-attacks on Iran, while in another case, the attackers used PowerPoint games and puzzles to fool users.

“These guys are successful but they are using very basic techniques,” said Roel Schouwenberg, senior researcher at Kaspersky Lab, one of the companies that analyzed the attack. “It’s scary that they are still so successful using these techniques.”

The attackers focused on critical infrastructure engineering firms, government agencies, financial houses and academic organizations in the Middle East, according to Kaspersky. The company, along with its research partner Seculert, sifted through data found on one server to determine which victims had been affected.

Once a system was infected with Mahdi, which was named after files found in the malware, attackers had a number of options, such as keylogging, taking periodic screenshots and recording audio.

In total, the simple social engineering resulted in the computers of 800 victims being infected with the malware. Kaspersky and Seculert were able to reroute the infected systems communications and discovered that nearly 45 percent of the victims were located in Iran, another 7 percent in Israel, and less than 2 percent in Afghanistan.

Several characteristics of the malware suggest that the developer was Iranian. The command-and-control server included dates in the Persian calendar format and several strings in Farsi, a dialect of Persian most common in Iran. The malware uploaded data and received commands from a controller at a specific domain name, which was first assigned to a server in Canada and then to a server in Tehran.

The two companies are still searching through data and attempting to find clues as to the attacker’s aims, says Kaspersky’s Schouwenberg.

“We have been sifting through the data to get a better idea of the operation,” said Schouwenberg. “The operation is still ongoing, so in a few days we may have more on that.”

An Israeli bank, which was hit in February, believes that the Mahdi malware is responsible, said Schouwenberg.

In its own analysis of the threats, Symantec suggests the attack may be focused more on information systems in the United States and Israel. Targets include oil companies, U.S. policy think tanks, a foreign consulate, and other government agencies, the company stated. The security firm’s data puts 72 percent of infections in Israel and 4 percent in the United States, but the data may be impacted by Symantec’s customer base.

“Targets like Iran, Israel, and Saudi Arabia might suggest involvement of a nation state, however our research has not found evidence that this is the case,” according to a Symantec blog post. “Instead, the current research indicates these attacks are being conducted by an unknown Farsi-speaking hacker with a broad agenda.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.