Iran still on target of Mahdi malware

Iran still on target of Mahdi malware

Iran still on target of 'Mahdi' malware after detection

In JULY Kaspersky Lab and Seculert revealed the presence of a new cyber-espionage weapon known targeting users in the Middle East. Despite the recent uncovering of the 'Madhi' malware that has infected several hundred computers in the Middle East, researchers say the virus is continuing to spread.

The malware, known as 'Mahdi' or 'Madi', was originally discovered by Seculert. In addition to stealing data from infected Windows computers, it is also capable of monitoring email and instant messages, recording audio, capturing keystrokes and taking screenshots of victims' computers.

Working together, researchers at Seculert and Kaspersky sinkholed the malware's command and control servers and monitored the campaign. What they found was a targeted attack that impacted more than 800 victims in Iran, Israel and other countries from around the globe.

Israeli security company Seculert said it had identified about 150 new victims over the past six weeks as developers of the Mahdi virus had changed the code to evade detection by anti-virus programs. That has brought the total number of infections found so far to nearly 1,000, the bulk of them in Iran.

"These guys continue to work," Seculert Chief Technology Officer Aviv Raff said via telephone from the company's headquarters in Israel. "This tells us that the attackers are still doing a very effective job with this surveillance malware," he said.

The majority of the victims were in Iran, and many were found to be businesspeople working on Iranian and Israeli critical-infrastructure projects, Israeli financial institutions, Middle East engineering students or various government agencies in the region. All totaled, multiple gigabytes of data are believed to have been uploaded from victims' computers, researchers have said.

Seculert and Kaspersky dubbed the campaign Mahdi after a term referring to the prophesied redeemer of Islam because evidence suggests the attackers used a folder with that name as they developed the software to run the project.

They also included a text file named mahdi.txt in the malicious software that infected target computers.