Researchers from Kaspersky Labs and Seculert have teamed up to investigate a new malware that has infected over 800 PCs in Middle Eastern countries, primarily targeting infrastructure companies, the finance industry, and government departments. The malware, known as Madi or Mahdi, logs keystrokes, screenshots, and can record audio using the computer's microphone. Mahdi,
which means "messiah" in the Islamic faith, then uploads all of this information to a remote server. While the source of the malware is currently unknown, Mahdi is primarily concentrated in Iran with 387 infections, but is also found in Israel, Afghanistan, the United Arab Emirates, and Saudi Arabia.
While Mahdi is targeting locations and institutions similar to previous malware attacks like Stuxnet and Flame, its methods are very different. Both Stuxnet and Flame relied on sophisticated coding and zero-day exploits, whereas Mahdi relies on user ignorance and was coded using Delphi, which Kaspersky says "would be expected from more amateur programmers." One method of infection involves disguising a malicious executable file as "picturcs..jpg" using the "Right to Left Override" technique, tricking victims into opening the executable "pictu?gpj..scr" file. Another method involved spreading the infection through embedded media in PowerPoint slides that attempt to mislead users into running the file.
Seculert has tracked the malware back to December 2011 when it was found communicating with a remote server located in Canada. Now, the server with which Mahdi communicates is located in Tehran, Iran, near the heart of the infection zone. The source of the malware is currently unknown, but the amateur appearance and reliance on victim gullibility makes Mahdi a more easily preventable attack than Flame and Stuxnet.