New espionage tool infects Middle East systems

Spread the love

A trojan has infected hundreds of systems in the Middle East in what Kaspersky says appears to be a new cyber-espionage campaign. Trojan Mahdi is much simpler than Flame and Stuxnet and contains many Persian strings.

Kaspersky Lab and Seculert have discovered a new trojan that appears to primarily infect systems in the Middle East and appears to be part of a state-run espionage campaign. The trojan was discovered via an email that appeared to contain an infected Word document, which when opened, smuggled in the malware and a text file called Mahdi. The Trojan is named after this designation, which according to some Islamic sects refers to the savior who comes to announce the end of time.

According to Kaspersky, the trojan downloader is also distributed through PowerPoint presentations and executable files disguised as images and video, where the texts are supposed to trick the recipient into opening the files. While the images and videos make the user feel like nothing is wrong, keyloggers, screenshot capture programs and data grabbers run in the background, while audio can also be recorded and backdoors can be updated. The backdoors found so far are written in Delphi.

Gmail, Hotmail, Yahoo Mail, ICQ, Skype, Google+ and Facebook were also monitored, and the malware also ran a scan of integrated ERP/CRM systems, business contracts and financial management systems.

In terms of design, the malware has nothing in common with advanced code such as that of Stuxnet and Flame. According to Kaspersky, the techniques used are simple but effective. The reason the companies think the attack is part of state espionage is that the majority of the 800 infected systems found were located in Iran and Israel. “Statistics show that the victims are mainly business people working for Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students and various government agencies in the Middle East,” Kaspersky said.

Both companies were able to gain control over Mahdi’s management servers and thus have a good idea of ​​how it works. Notably, Aviv Raff, chief technology officer at Seculert, noted that the malicious code contained many Persian strings: “The attackers were no doubt fluent in this language.”

You might also like