Mahdi developers pushing updates to the spy trojan

Powered by SC Magazine

Targets people with links to the US.

The developers of espionage malware Mahdi, first reported by researchers in February, have been tweaking code so the trojan avoids detection.

The malware is spread through spear phishing emails, where victims click on malicious attachments and download spyware appearing to be .pdf and .jpeg files, or Microsoft PowerPoint slideshows.

Mahdi, which has mainly targeted government entities and financial services firms in Iran, but also Israel, Afghanistan and other neighboring countries, can log keystrokes, record audio and capture screenshots of its victims. Roughly 800 victims have been reported.

Aviv Raff, CTO at Israeli security firm Seculert, which discovered Mahdi earlier this year, said attackers – based on the websites they are targeting for spying – are increasingly searching for victims with ties to the United States.

"Currently, the interesting part is that the new malware versions which have been added have attacked entities that have a connection to the U.S. or visit the U.S. frequently,” Raff told on Thursday.

Developers have been aggressively pushing updates through their new command-and-control center, which Seculert researchers blogged about in July.

“We've seen dozens of new update pushes in the last few weeks,” Raff said. "Sometimes, even several times a day. Though the malware is identified as unsophisticated, the campaign by attackers has been effective."

Both Russian anti-virus company Kaspersky Lab and Seculert, which are working together to research Mahdi, have ruled out ties to Flame or other malware making headlines in recent months for targeting industries in the Middle East. The United States and Israel are believed to be behind Flame.

Kurt Baumgartner, senior security researcher at Kaspersky Lab, told on Thursday that other new Mahdi developments include attackers potentially using email lists at their disposal to send messages to victims in an attempt to dupe them into installing software infected by Mahdi.

He also added that the malware's video and audio surveillance capabilities haven't been used as much as other features.

“I'm not sure they really need it with the data they are already capturing,” Baumgartner said.

[An earlier version of this story incorrectly stated how the attackers were using the email lists.]

This article originally appeared at

Copyright © SC Magazine, US edition

Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx