Mahdi developers pushing updates to the spy trojan

Powered by SC Magazine
 

Targets people with links to the US.

The developers of espionage malware Mahdi, first reported by researchers in February, have been tweaking code so the trojan avoids detection.

The malware is spread through spear phishing emails, where victims click on malicious attachments and download spyware appearing to be .pdf and .jpeg files, or Microsoft PowerPoint slideshows.

Mahdi, which has mainly targeted government entities and financial services firms in Iran, but also Israel, Afghanistan and other neighboring countries, can log keystrokes, record audio and capture screenshots of its victims. Roughly 800 victims have been reported.

Aviv Raff, CTO at Israeli security firm Seculert, which discovered Mahdi earlier this year, said attackers – based on the websites they are targeting for spying – are increasingly searching for victims with ties to the United States.

"Currently, the interesting part is that the new malware versions which have been added have attacked entities that have a connection to the U.S. or visit the U.S. frequently,” Raff told SCMagazine.com on Thursday.

Developers have been aggressively pushing updates through their new command-and-control center, which Seculert researchers blogged about in July.

“We've seen dozens of new update pushes in the last few weeks,” Raff said. "Sometimes, even several times a day. Though the malware is identified as unsophisticated, the campaign by attackers has been effective."

Both Russian anti-virus company Kaspersky Lab and Seculert, which are working together to research Mahdi, have ruled out ties to Flame or other malware making headlines in recent months for targeting industries in the Middle East. The United States and Israel are believed to be behind Flame.

Kurt Baumgartner, senior security researcher at Kaspersky Lab, told SCMagazine.com on Thursday that other new Mahdi developments include attackers potentially using email lists at their disposal to send messages to victims in an attempt to dupe them into installing software infected by Mahdi.

He also added that the malware's video and audio surveillance capabilities haven't been used as much as other features.

“I'm not sure they really need it with the data they are already capturing,” Baumgartner said.

[An earlier version of this story incorrectly stated how the attackers were using the email lists.]

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Content, cost & constant innovation: How Foxtel plans to take on Netflix
Nell Payne inhabits the “brave new world of blue strings and networking”. Just don't ask her to put a TV screen on your microwave.
 
Sending in the drones
Margins are getting tighter in the industrial services industry, so Transfield Services' Stephen Phillips looks offshore - and to the skies - for the solutions he needs to keep pace.
 
Westpac fires starting pistol on core banking upgrade
St George readies itself for move to Celeriti.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Should Optus make a bid for iiNet?

   |   View results
Yes
  43%
 
No
  57%
TOTAL VOTES: 537

Vote