A new variety of spyware has been targeting users in Iran, Israel and the Middle East for the last eight months according to joint research from Israeli security software firm Seculert and Kaspersky Lab.
The new malware is using a variety of odd techniques and misdirection to entice users to install it, and researchers say it is targeting a specific group of potentially high-value targets.
We’ve already seen Stuxnet, Flame and Duqu. It may now be time to add another name to the list of Middle East-targeting state-sponsored malware. Seculert calls the spyware “Mahdi,” after a filename used during the initial infection process. Kaspersky calls it “Madi” instead, for technical reasons and a desire to avoid a possibly offensive name. (In Islam, the Mahdi is the redeemer who teams up with Jesus to fight the Antichrist at the end of days. The Mahdi is especially important to the strain of Shia Islam practiced in Iran.) It’s not yet clear who’s behind Mahdi.
Seculert said communications between the spyware and its command-and-control servers, at least one of which was located in Canada, contained snippets of Farsi, the national language of Iran. Kaspersky’s report showed slides from a rigged PowerPoint presentation, part of the infection process, that have text in English and Hebrew. “It is still unclear whether this is a state-sponsored attack or not,” wrote the Seculert researchers in their blog posting.
The U.S. and Israeli governments have tacitly admitted creating Stuxnet, a worm that attacked and disabled an Iranian uranium-processing facility in 2010. Flame, a sophisticated piece of spyware discovered just two months ago but created as far back as 2007, was linked to American and Israeli military intelligence in a recent Washington Post story that neither government has contested. (Duqu, a Trojan that shares certain key components of Stuxnet, has not drawn as much media attention.) As with Flame, the greatest number of Mahdi infections appears to be in Iran, followed by Israel and the Palestinian territories. Other countries targeted by Mahdi include Afghanistan, the United Arab Emirates and Saudi Arabia — all countries of interest to the Iranian government.
“Large amounts of data collection reveal the focus of the campaign on Middle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia,” wrote the Kaspersky Global Research and Analysis Team in its blog posting. It’d be easy to see why Israel or Iran would want to spy on such targets in other countries, but less easy to imagine why either would want to spy on their own institutions and power plants as well. Not terribly sophisticated The attack is a relatively simple one and begins with a classic “phishing” scheme. A rigged Microsoft Word or PowerPoint file concerning Middle Eastern political issues is sent via email. When opened by the targeted computer’s user, it infects the system and grabs more files from the Internet.
Some infecting files are disguised by a bit of trickery: a hidden character reverses the text flow, so that what looks to a human like “picturcs..jpg” is actually “pictu?gpj..scr,” a Windows executable screensaver. Once fully installed, the spyware logs keystrokes, takes screenshots, records audio using a computer’s built-in microphone, maps the targeted machine’s internal file structure and copies various kinds of data files. Flame did all those things as well, but Mahdi has none of Flame’s innovative methods of forging Microsoft authentication signatures, evasion of anti-virus software or modular structure. Nor does it have Stuxnet or Duqu’s exploitation of previously unknown “zero-day” vulnerabilities. Expensive or not? Seculert and Kaspersky differed over whether the development of Mahdi required serious research or financing. (Stuxnet and Flame are estimated to have each cost many millions of dollars, beyond the budgets of cybercriminal groups.) “Most of the components are simple in concept, but effective in practice,” wrote the Kaspersky researchers. “No extended [zero]-day research efforts, no security researcher commitments or big salaries were required.” Seculert came to a different conclusion. “The targeted organizations seem to be spread between members of the attacking group by giving each victim machine a specific prefix name,” the Israeli firm’s blog posting said, “meaning that this operation might require a large investment and financial backing.”