Mahdi, the Messiah, Found Infecting Systems in Iran, Israel

Mahdi has targeted computers primarily in Iran and Israel, though it has also infected computers elsewhere in the Middle East. Courtesy of Seculert

Who knew that when the Messiah arrived to herald the Day of Judgment he’d first root through computers to steal documents and record conversations?

That’s what Mahdi, a new piece of spyware found targeting more than 800 victims in Iran and elsewhere in the Middle East, has been doing since last December, according to Russia-based Kaspersky Lab and Seculert, an Israeli security firm that discovered the malware.

Mahdi, which is named after files used in the malware, refers to the Muslim messiah who, it’s prophesied, will arrive before the end of time to cleanse the world of wrongdoing and bestow peace and justice before Judgment Day. But this recently discovered Mahdi is only interested in one kind of cleansing – vaccuuming up PDFs, Excel files and Word documents from victim machines.

The malware, which is not sophisticated, according to Costin Raiu, senior security researcher at Kaspersky Lab, can be updated remotely from command-and-control servers to add various modules designed to steal documents, monitor keystrokes, take screenshots of e-mail communications and record audio.

While researchers have found no particular pattern to the infections, victims have included critical infrastructure engineering firms, financial service companies, and government agencies and embassies. Of the 800 targets discovered so far, 387 have been in Iran, 54 in Israel and the rest in other countries in the Middle East. Gigabytes of data were stolen over the last eight months.

According to Aviv Raff, CTO of Seculert, his lab received the first sign of the malware last February in the form of a spear-phishing e-mail with a Microsoft Word attachment. The document, once opened, contained a November 2011 article from the online news site The Daily Beast discussing Israel’s plan to use electronic weapons to take out Iran’s electric grid, internet, cellphone network, and emergency frequencies during an airstrike against Iran’s nuclear facilities.

If users clicked on the document, an executable launched on their machine that dropped backdoor services, which contacted a command-and-control server to receive instructions and other components. Researchers have discovered other variants that used malicious PDF and PowerPoint attachments, some of them containing images with various religious themes or tropical locations, that use simple social engineering techniques to confuse users into allowing the malware to load onto their machines.

One of the serene images that appears in a malicious PowerPoint file sent to victims. Courtesy of Kaspersky Lab

As Kaspersky Lab explains in a blog post, one of the PowerPoint variants displays “a series of calm, religious themed, serene wilderness, and tropical images, confusing the user into running the payload on their system” by confusing them into ignoring virus warnings that might appear on their screen.

“[W]hile PowerPoint presents users a dialog that the custom animation and activated content may execute a virus, not everyone pays attention to these warnings or takes them seriously, and just clicks through the dialog, running the malicious dropper,” Kaspersky writes.

While another image asks users to click the file, a dropper loads to their machine. Although a virus warning displays onscreen, users are tricked into clicking through it because the slideshow has already primed them to click through the slides.

According to Kaspersky, the backdoors that infected machines were all coded in Delphi. “This would be expected from more amateur programmers, or developers in a rushed project,” they write in their blog post.

The earliest variant found so far infected machines in December 2011, but a compilation date on some of the files indicates the malware may have been written before last September.

The malware communicates with at least five servers – one in Tehran, and four in Canada, all hosted in different locations. Researchers at Kaspersky Lab created a sinkhole to divert traffic from some of the infected machines, but at least one server is still up and running, meaning the spy mission is still active.

Seculert contacted Kaspersky about Mahdi last month after researchers in its lab discovered Flame, a massive, highly sophisticated piece of malware that infected systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. Flame is also a modular malware that allows its attackers to steal documents, take screenshots and record audio of Skype conversations or communications conducted in the vicinity of an infected machine.

Raff says his team in Israel reached out to Kaspersky because they thought there might be a connection between the two pieces of malware. But researchers have found no parallels between Mahdi and Flame. Raff notes, though, that “the guys behind them may be different, but they do have very similar purposes,” which is to spy on targets.

Recently, U.S. government sources told the Washington Post that Flame is the product of a joint operation between the United States and Israel.

Raff says it’s not clear if Mahdi is the product of a nation-state, but notes that the researchers found strings of Farsi in some of the communication between the malware and command-and-control servers, as well as dates written in the format of the Persian calendar.

“This is something we didn’t see before, so we thought it was interesting,” he says. “We are looking at a campaign that is using attackers who are fluent in Farsi.”

The infections in Iran and Israel, along with the Farsi strings, suggest the malware may be the product of Iran, used to spy primarily on domestic targets but also on targets in Israel and a handful of surrounding countries. But the malware could also be a product of Israel or another country that’s simply been salted with Farsi strings in order to point the finger at Tehran.

UPDATE 10:30am PST: A news story from an Israeli tech site back in February appears to refer to a Mahdi infection at Bank Hapoalim, one of Israel’s top banks. According to the story (which is in Hebrew), the attack came via a spear-phishing email that included a PowerPoint presentation and was sent to several bank employees. The malware includes a file called officeupdate.exe and tries to contact a remote server in Canada via a server in Iran.

Although the article does not directly identify the malware as Mahdi, it has multiple characteristics that match Mahdi, and it struck Bank Hapoalim around the same time that Seculert says it discovered Mahdi.

UPDATE 2:30pm PST: A reader has pointed out that the Hebrew in the PowerPoint slides above is incorrect and awkwardly phrased in several places and suggests that the author of the slides is not a native-Hebrew speaker.