Security Researchers Find Flame Malware Mention in Mahdi Code

Researchers at Seculert have uncovered what could be evidence of a link between the Mahdi malware and the infamous Flame malware discovered earlier this year.

Though no strong connections have been found between the Flame and Mahdi campaigns, a small clue may have been unearthed in the code, according to Seculert,

“For each victim, the Mahdi malware assigns a unique identifier, which is used by the C&C server to identify which targeted entity it is communicating with,” according to Seculert. €œPart of this unique identifier is a prefix, which is used to help spread the targeted entities between the members of the attacking group and allow them to identify and manage a bulk of targeted entities.”

One of the prefixes used by targeted organizations to communicate with three of the four command-and-control (C&C) servers is “Flame.”

“The first targeted victim with the ‘Flame’ prefix began communicating with the C&C server in early June, right after the Kaspersky Lab discovery of Flame went public,” the firm noted. “Coincidence? Maybe. Another interesting thing to note is that some of the prefixes end with €œcoffinet.€ These include: Chabehar, Iranshahr, Khash, Nikshahr, Saravan, Zabol, all of which are cities and counties located in the southeast region of Iran.”

The malware, which is also spelled €œMadi,€ appears to have entered a more sophisticated phase. According to Kaspersky Lab, a newer variant of the malware has been spotted with additional capabilities. The new version, which Kaspersky researcher Nicolas Brulez reported, was compiled July 25.

“Following the shutdown of the Madi command-and-control domains last week, we thought the operation is now dead,” he blogged. “Looks like we were wrong.”

The new variant has the ability to monitor Jabber conversations as well as the Russian social network VKontakte. In addition, it looks for people who visit pages containing “USA” and “GOV” in their titles, he wrote. Other targeted keywords include “MSN Messenger,” “Facebook” and “Gmail.”

“In such cases, the malware makes screen shots and uploads them to the C2 [command-and-control server],” he explained.

“Perhaps the most important change,” he continued, “is the info stealer no longer waits for €œcommands€ from the C2€”instead, it simply uploads all stolen data to the server right away.

The variant uploads data to a command-and-control server located in Montreal, Canada, he noted. Other Mahdi command-and-control servers have also been located in Canada and Tehran.

Previously, researchers at Seculert and Kaspersky used a sinkhole to identify 800 victims who had communicated with four command-and-control servers. The majority of the victims were in Iran. Many of the victims were found to be business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle East engineering students or various government agencies in the region. All totaled, multiple gigabytes of data are believed to have been uploaded from victims’ computers, researchers have said.