‘Mahdi’ Virus Acts Like Flame’s Unsophisticated Cousin

Researchers could not find many links between the new virus and Flame.

A new hack attack has siphoned documents and keystrokes from victims worldwide using rudimentary and sometimes obvious methods, say various computer researchers. The objective -- to spy -- mirrors that of the recently-uncovered Flame virus, an alleged U.S.-Israeli tool that collected troves of data in the Middle East for years.

But the researchers could not find any other links between the new virus, “Mahdi,” and Flame.

It is unclear if a nation state is behind Mahdi -- a name for the Islamic messiah. It is clear that the assailants took advantage of people who failed Safe Web Surfing 101. Unlike the Flame infection, which is inserted stealthily, Mahdi’s malicious software is injected through clicking on suspicious-looking attachments.

“The code of the malware is different, as well as the way it communicates with the command-and-control servers,” Aviv Raff, chief technology officer for Seculert, an Israel-based cybersecurity firm, told Nextgov. Seculert and Kaspersky Lab, which unearthed Flame, jointly took credit on Tuesday morning for identifying Mahdi, which derives its moniker from filenames used by the virus. Some of the communications between the servers and malware includes strings in Farsi and dates in the Persian calendar.

Later on Tuesday, Symantec suggested Mahdi is the work of an unknown Farsi-speaking hacker with a broad agenda.

The nearly year-long attack has targeted critical infrastructure companies, financial services firms and government embassies in Iran, Israel, Afghanistan, the United Arab Emirates and Saudi Arabia, according to Seculert. Symantec then said it’s seeing incidents everywhere from the continental United States and Alaska to Iran and Greece -- at oil companies, U.S.-based think tanks, one foreign consulate, and multiple governmental agencies. Seculert found remote servers located in Canada and Iran. Symantec pegged them to Iran and, more recently, Azerbaijan.

The discovery of the campaign came several months ago in the form of an email containing a file named Mahdi.txt, according to Seculert. Clicking on an attachment in the email opened malware and the contents of the Mahdi file -- a real Daily Beast article detailing an Israeli plot to jam emergency communications in Iran during a potential assault on Iran’s nuclear facilities.

Tricking computer users into opening malicious attachments by piquing their interest is one form of a common ruse called spearphishing.

With Mahdi, “most of the components are simple in concept, but effective in practice,” according to a statement on Kaspersky’s website. “No security researcher commitments or big salaries were required.”

Another spearphishing email used a PowerPoint slideshow named “Moses_pic1.pps” that instructed victims to conjure an optical illusion of the prophet by walking through a series of interactive, relaxing images, Kaspersky’s website demonstrated. But the whole thing was just a distraction to get the user to click on the bug.

The ploys were basic not only in terms of delivery but in terms of execution, according to Kaspersky.

The Moses PowerPoint triggered a standard Microsoft dialogue box warning users they may be on the verge of downloading malware: “You are about to activate an inserted object that might contain viruses or otherwise be harmful to your computer. Make sure the object is from a trustworthy source. Do you want to continue?”

Plus, the program is written in a code, called Delphi, which is indicative of more amateur programmers or developers in a rushed project, Kaspersky researchers said.

Still, the unsophisticated malware gets the job done. Once activated, Mahdi communicates with a remote server that can command the program to monitor keystrokes; record audio, retrieve files; and capture screen displays of chat dialogues, webmail inboxes and other social media, according to Kaspersky.

After Kaspersky in May reported the existence of Flame, Seculert contacted the lab to investigate possible similarities between the two data-slurping worms. Both operations had been targeting organizations in Iran and Israel.

Raff said they are still looking for a connection between Mahdi and Flame, and that the malicious campaign is ongoing.

Now that the intruders’ cover is blown, “if they will feel that this publication will affect their campaign, they will probably try to go under the radar for a while, and will come up later on a different location,” he said.