Mahdi developers pushing updates to the spy trojan

Powered by SC Magazine
 

Targets people with links to the US.

The developers of espionage malware Mahdi, first reported by researchers in February, have been tweaking code so the trojan avoids detection.

The malware is spread through spear phishing emails, where victims click on malicious attachments and download spyware appearing to be .pdf and .jpeg files, or Microsoft PowerPoint slideshows.

Mahdi, which has mainly targeted government entities and financial services firms in Iran, but also Israel, Afghanistan and other neighboring countries, can log keystrokes, record audio and capture screenshots of its victims. Roughly 800 victims have been reported.

Aviv Raff, CTO at Israeli security firm Seculert, which discovered Mahdi earlier this year, said attackers – based on the websites they are targeting for spying – are increasingly searching for victims with ties to the United States.

"Currently, the interesting part is that the new malware versions which have been added have attacked entities that have a connection to the U.S. or visit the U.S. frequently,” Raff told SCMagazine.com on Thursday.

Developers have been aggressively pushing updates through their new command-and-control center, which Seculert researchers blogged about in July.

“We've seen dozens of new update pushes in the last few weeks,” Raff said. "Sometimes, even several times a day. Though the malware is identified as unsophisticated, the campaign by attackers has been effective."

Both Russian anti-virus company Kaspersky Lab and Seculert, which are working together to research Mahdi, have ruled out ties to Flame or other malware making headlines in recent months for targeting industries in the Middle East. The United States and Israel are believed to be behind Flame.

Kurt Baumgartner, senior security researcher at Kaspersky Lab, told SCMagazine.com on Thursday that other new Mahdi developments include attackers potentially using email lists at their disposal to send messages to victims in an attempt to dupe them into installing software infected by Mahdi.

He also added that the malware's video and audio surveillance capabilities haven't been used as much as other features.

“I'm not sure they really need it with the data they are already capturing,” Baumgartner said.

[An earlier version of this story incorrectly stated how the attackers were using the email lists.]

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
CIO exits as Coles steps up offshoring
Updated: Engages Accenture in Manila; staff to learn of their fate today.
 
Matching databases to Linux distros
Reviewed: OS-repository DBMSs, MariaDB vs MySQL.
 
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  71%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 785

Vote