Researchers have discovered another piece of espionage malware targeting sensitive organizations in the Middle East, this time siphoning e-mails, passwords, computer files, and nearby conversations from more than 800 PCs operated by critical infrastructure companies, financial institutions, and government agencies.
Researchers from Kaspersky Lab and Seculert have dubbed the malware Madi or Mahdi, which in Islam is roughly analogous with Messiah. The name is based on several strings and handles used by the attackers. While its discovery immediately evoked comparisons to the Flame malware used to disrupt Iran’s nuclear program, separate analyses released on Tuesday by both companies cataloged significant differences between the two campaigns. Madi, for instance, wielded no zero-day vulnerabilities, contained amateur coding practices, and relied on the gullibility of its victims. Flame, by contrast, boasted world-class cryptographic breakthroughs and other hallmarks that could have come only from state-sponsored developers.
“While we couldn’t find a direct connection between the campaigns, the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern Countries,” the analysis from Seculert stated. “It is still unclear whether this is a state-sponsored attack or not.”
The campaign dates back at least to December and originates in e-mails that contain an array of news articles, videos, and religious themed images depicting the wilderness or tropical settings. To mask the maliciousness of some of the payloads, the attackers used a technique known as “Right to Left Override” to name some files. By manipulating the Unicode or UTF-8 text of the filenames, they were able to able to make executable code appear as simple image files with titles such as “picturcs.jpg,” that were displayed with a common “.jpg” icon. Some of the attached material invites the reader to click on video files. Those who fell for the social-engineering ploy are then infected with malware.