The strange religious-themed malware “Mahdi” that has been detected recording information from computers in the Middle East is part of an ongoing surveillance campaign in the region, and more variants of the malware are expected to emerge, according to cybersecurity experts.
“We have analyzed several versions of the malware,” said Aviv Raff, chief technology officer of Seculert, an Israeli cybersecurity firm that was the first to detect and publicize the Mahdi malware on Tuesday.
“We are anticipating other versions to arrive, as the attack is still active,” Raff said in an email to TPM.
Mahdi, or Madi, as it is also known, is named after an Islamic concept of a messianic figure referenced in strings of code that make up the malicious software.
The malware, which has been found on 800 computers in the Middle East and Asia, including 387 in Iran, where it is most prevalent, also references Abrahamic religious concepts in its delivery mechanism: It infects computers in the form of a PowerPoint file sent as an email attachment, and the PowerPoint contains slides written in English and Farsi that mention Moses.
It also installs itself on computers through images disguised as text files, including one that appears to be an optical illusion of the face of Jesus. The Madi malware is capable of surreptitiously recording keystrokes, capturing screenshots of a user’s activity as well as recording audio of conversations around the computer, among other capabilities.
The purpose of the Madi malware appears to be a massive surveillance and information-stealing campaign, according to experts at Kaspersky Labs, another cybersecurity firm based in Russia that is working with Seculert on the analysis, detection and mitigation.
Madi seems to be designed for “sustained data retrieval and large scale surveillance of a regional, select set of sectors, organizations, individuals and events in the Middle east,” according to a statement from the Kaspersky Lab Global Research & Analysis Team provided to TPM via email.
Kaspersky’s analysts continued:
“Monitored data includes business people working on critical infrastructure projects, government agencies in the Middle East, Israeli banks, engineering/high tech firms, and engineering students.”
But like Seculert, the Russian firm too does not believe that just because Madi has been discovered and publicized, the attackers will stop the campaign.
“This operation is still on-going as well as the investigation,” Kaspersky added.
Neither cybersecurity firm would speculate on the potential identity of the creators of the Madi malware, beside to point out: The malware contains strings of code written in Farsi, references dates on the Persian calendar, and appears to have been written by amateurs or developed sloppily in a hurry, with its backdoors — or the access points created by the malware for its operators to easily access infected machines going forward, even if detected — being much “larger and slower than necessary,” according to Kaspersky.
Most intriguingly of all, the virus appears to be communicating with a server in Canada owned by a legitimate company, according to Raff. He declined to name the specific company, as the investigation, like the malware campaign, continues.
