Mahdi developers pushing updates to the spy trojan

Powered by SC Magazine
 

Targets people with links to the US.

The developers of espionage malware Mahdi, first reported by researchers in February, have been tweaking code so the trojan avoids detection.

The malware is spread through spear phishing emails, where victims click on malicious attachments and download spyware appearing to be .pdf and .jpeg files, or Microsoft PowerPoint slideshows.

Mahdi, which has mainly targeted government entities and financial services firms in Iran, but also Israel, Afghanistan and other neighboring countries, can log keystrokes, record audio and capture screenshots of its victims. Roughly 800 victims have been reported.

Aviv Raff, CTO at Israeli security firm Seculert, which discovered Mahdi earlier this year, said attackers – based on the websites they are targeting for spying – are increasingly searching for victims with ties to the United States.

"Currently, the interesting part is that the new malware versions which have been added have attacked entities that have a connection to the U.S. or visit the U.S. frequently,” Raff told SCMagazine.com on Thursday.

Developers have been aggressively pushing updates through their new command-and-control center, which Seculert researchers blogged about in July.

“We've seen dozens of new update pushes in the last few weeks,” Raff said. "Sometimes, even several times a day. Though the malware is identified as unsophisticated, the campaign by attackers has been effective."

Both Russian anti-virus company Kaspersky Lab and Seculert, which are working together to research Mahdi, have ruled out ties to Flame or other malware making headlines in recent months for targeting industries in the Middle East. The United States and Israel are believed to be behind Flame.

Kurt Baumgartner, senior security researcher at Kaspersky Lab, told SCMagazine.com on Thursday that other new Mahdi developments include attackers potentially using email lists at their disposal to send messages to victims in an attempt to dupe them into installing software infected by Mahdi.

He also added that the malware's video and audio surveillance capabilities haven't been used as much as other features.

“I'm not sure they really need it with the data they are already capturing,” Baumgartner said.

[An earlier version of this story incorrectly stated how the attackers were using the email lists.]

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 333

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 138

Vote