Computers throughout the Middle East are being infected by malware that appears to be part of a surveillance campaign that records users’ activity both on and, surprisingly, off the computer, according to reports.
The malware, called “Mahdi” – also known as Madi, and named after the Islamic concept of “the prophesied redeemer of Islam who will rule for seven, nine or nineteen years (according to various interpretations) before the Day of Judgment… and will rid the world of wrongdoing, injustice and tyranny” – was discovered on machines throughout the region earlier this week, and is believed to be just part of an ongoing attack on computers throughout the Middle East and Asia. “We have analyzed several versions of the malware [and] are anticipating other versions to arrive, as the attack is still active,” explained Aviv Raff, the chief technology office of cybersecurity firm Seculert, the company believed to have initially detected the malware.
According to analysis from Kapersky Labs, Mahdi has been working undetected for a long time now. “For almost a year, an ongoing campaign to infiltrate computer systems throughout the Middle East has targeted individuals across Iran, Israel, Afghanistan and others scattered across the globe,” the analysis opens, going on to suggest that it has already captured “large amounts of data” from “Middle Eastern critical infrastructure engineering forms, government agencies, financial houses and academia.”
The malware is believed to infect computers via a PowerPoint file sent as an email attachment, although it also reportedly installs itself via images disguised as text files. In an email to Talking Points Memo, a Kaspersky analyst explained that the malware appeared to have been created with the purpose of “sustained data retrieval and large scale surveillance of a regional, select set of sectors, organizations, individuals and events in the Middle East,” specifically “business people working on critical infrastructure projects, government agencies in the Middle East, Israeli banks, engineering/high tech firms, and engineering students.” It’s believed that the software not only records keystrokes, but snoops in all manner of concerning ways. According to the Kaspersky report, Mahdi does the following:
- Logs keystrokes
- Captures screenshots of infected computers at specified intervals
- Captures screenshots of infected computers when the user initiates a “communications event,” described by Kaspersky as “the victim is interacting with webmail, an IM client or social networking site,” with sites that initiate the screenshots including Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, Facebook and others
- Updating backdoor
- Recording and uploading outside audio as .wav files
- Retrieving “any combination of 27 different types of data files”
- Retrieving disk structures of the infected computer
- Delete and bind (“These are not fully implemented yet,” Kaspersky notes)
So far, Mahdi has been discovered on at least 800 machines. Both Kaspersky and Seculert expect that number to increase with more releases of the malware.