Superbug 'Mahdi' Plagues Middle East Computers Using Social Engineering

Computer security firms Seculert and Kaspersky Lab recently joined forces to uncover the latest cyberwarfare superbug, Mahdi, according to InformationWeek. Named after the prophesied redeemer of Islam, this Trojan Horse “[roots] through computers to steal documents and record conversations.”

First discovered by Israeli-based Seculert, the virus was found hidden in spear-phishing emails containing a seemingly benign attachment, such as an MS Word file. When opened, the attachment was found to contain a Daily Beast article detailing Israel’s plans to take out Iran’s infrastructure. Other attachments included a Powerpoint presentation in Hebrew and Farsi containing slides with religious references to Moses and Jesus.

PCWorld explains that these Word and Powerpoint files were used as ‘social engineering’ tactics to fool the recipient into thinking the entire attachment was benign. They explain that the malware installer is “embedded inside these files and gets executed if users agree to a PowerPoint security warning alerting them about the security risks associated with loading inserted objects.”

EWeek reports that as many as 800 computers were infected, many located in Iran. While targets were predominantly in the Middle East, Seculert found the malware linking to servers in both Iran and Canada. According to Reuters, Mahdi’s victims include “critical infrastructure companies, engineering students, financial services firms and government embassies located in five Middle Eastern countries.”

While considered much less sophisticated than other cyberespionage superbugs, like Flame and Stuxnet, Mahdi is still a very powerful piece of malware in its own right. Talking Points Memo lists its capabilities:

[K]eylogging, timed screenshot captures, remote controlled screenshots through Web chat clients such as Skype, audio recording, data retrieval, disk retrieval, disk access, delete functionality and backdoor access updates, to allow the attackers to infiltrate the machine even if the malware is found.

Even though the three bugs are considered heavyweights in the world of superbugs, it was initially unclear whether there exists a tie between Mahdi and Flame/Stuxnet (the latter two were recently tied to the same operation). CNet reports that it is uncertain whether Mahdi was created under a state-sponsored program or built by private individuals.

A week after the initial posting, Seculert released new information about an updated version of Mahdi they recently uncovered. According to this blog post, there may be a tie between Mahdi and Flame, given a found similarity in their coding. Further, Infosecurity reports that this latest version contains “many interesting improvements and new features” to further bolster the malware.

To read Kasperky Lab’s original blog post detailing Mahdi’s timeline, go here, and for their updated post about the latest developments, go here.