Mahdi

A large-scale malware outbreak in the Middle East outbreak was identified as Mahdi (the Arabic word for Messiah). Mahdi may be related to the infamous Flame outbreak of recent months, although a concrete link is yet to be identified. Mahdi is often delivered via malicious email messages containing PowerPoint or Word documents that exploit known vulnerabilities in order to install a dropper Trojan on the victim's computer system. These kinds of malicious file attachments are especially misleading because opening them will actually display a convincing facsimile of the supposed contents of the attachment while the infection occurs in the background. For example, ESG malware analysts have observed one Mahdi-carrying email attachment that actually displays landscape photographs and another that links to an actual article published in a magazine recently.

One suspicious fact about Mahdi is that many strings in its code are written entirely in Persian, mostly spoken in Afghanistan and Iran. Malware researchers have also observed that most of the infected computer systems belong to important government institutions, infrastructure entities, financial services firms, and other entities important for the normal functioning of a nation. The affected computer systems are mostly concentrated in Iran, but Mahdi infections have also been detected in other Middle Eastern countries, including Afghanistan, Israel, Saudi Arabia, and the United Arab Emirates. Although Mahdi has nowhere near the complexity of Flame, which is suspected to have been created by the United States government, or the devastating qualities of Stuxnet, the infamous and complex worm used to attack Iran's nuclear plants, there are suspicions of Mahdi having been developed with government support in order to aid espionage and cyber-warfare activities. Mahdi's large-scale attacks would necessarily involve heavy financial backing from a wealthy sponsor, at the least.

Effects of a Mahdi Infection

The main payload of Mahdi seems to be a keylogger component which allows Mahdi to track keystrokes, isolate and save passwords, take screenshots, steal all kinds of documents, and perform other common Trojan symptoms to the infected computer. Mahdi will connect to a command and control server and includes an identifier for the targeted institution in its communications. This identifier has allowed PC security researchers to determine that dozens of people are involved in what could be a large-scale espionage operation. Mahdi attacks have been ongoing since December but may have gone largely undetected for a number of reasons. Its command and control server was originally in Iran and is currently in Canada.