Mahdi malware discovered in the Middle East

The other day, a new piece of malware, dubbed “Mahdi'”, was discovered on various computers in the middle east.  Seculert reported on it the other day on their blog, saying that they had stumbled on it a few months ago.  A piece of spam arrived into their labs (by way of a honeypot?) with a malware attachment and a file called mahdi.txt. 

The content of the document was an article discussing Israel vs. Iran electronic warfare (see Figure 1).

The blog post goes on to say the following:

In May of 2012 Kaspersky Lab announced that they had discovered a highly sophisticated, malicious program that is actively being used as a cyber weapon to target entities in several countries. Named Flame, the malware was designed to carry out cyber espionage and is believed to exceed the complexity and functionality of other known attacks.

We contacted Kaspersky Lab in order to investigate possible similarities between Flame and Mahdi. We collaborated in the weeks that followed, with Kaspersky keeping a close eye on how the malware affected infected endpoints and Seculert analyzing the communication between the malware and the C&C servers. By using a Sinkhole and Seculert's big data analytics technology, we were able to identify over 800 victims, communicating with four different C&C servers over a period of eight months.

While we couldn't find a direct connection between the campaigns, the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries.

First Stuxnet.  Then Duqu.  Then Flame.  Now… Mahdi? 

Immediately when we see all the malware infections throughout the middle east, we start wondering who is behind the attacks. Reports Lucian Constantin on PC World:

The Mahdi samples analyzed by Seculert and Kaspersky attempted to communicate with four different command and control servers -- three of them located in Canada and one in Iran's capital, Tehran.

There's no definitive proof of the malware's origin yet. However, the presence of a command and control server in Tehran could suggest that the attackers are Iranian, especially since other clues found in the malware indicate that they are fluent in Farsi and use dates in the Persian calendar format, Raff said.

David Shamah, writing on ZDNet, writes the following:

…Mahdi appears to be far less sophisticated than Flame: in one of its permutations, for example, users are asked to click on what appears to be a JPEG, but is really an executable .scr file -- a trick many users are likely to spot.

The Trojan, which has affected computers in the Middle East and beyond, appears to be targeting Israeli users, with the messages it carries written in (very poorly-written) Hebrew.

The Mahdi Trojan may or may not have been designed in Iran: it apparently includes strings in Farsi as well as dates in the Persian calendar format.

I have some theories and my own analysis:

  • If Mahdi was written in Iran, then it makes sense that the malware contains references to Farsi as well as poorly written Hebrew.  It also makes sense that it is less sophisticated.  The reasons for this is that the ability of a country to conduct cyber espionage is proportional to its ability to conduct regular espionage.  Iran is not known to have as extensive espionage capabilities, and this malware would be a reflection of that.

    But this begs the question: if it was written in Iran, why are there so many infections in the same country?  Is it possible they were testing it and it got out into the wild?

  • If Mahdi was written by another country, say Israel, then this would be a much less sophisticated piece of malware that they are known or rumored to have developed.  By writing malware that is not as complex, they could be intentionally infecting themselves to make it look like someone else did it (i.e., it couldn’t be us, we write much more quality stuff), or perhaps this is a set of junior programmers doing their first attempt.
  • Of course, as the articles say, it still hasn’t even been determined that this is a state-sponsored attack.  It may simply be regular malware and the reason it’s on systems in multiple countries is because it was targeted at companies and businesses in multiple countries.

If this attack is state sponsored, then we are now in the early stages of cyber espionage where everyone is getting into the act.  For the second act, they will need to become better at concealing their malware from detection.

Skip to main content