Move over, Flame...



Religious-themed Mahdi, the Messiah, has been used to spy on hundreds of targets from Iran, Israel and a few other Middle Eastern countries during the past eight months...

Most likely you remember the extremely complex 'Flame' malware, which was discovered infiltrating Iranian computers.

Now, another one has been discovered by Kaspersky. Called Mahdi or Madi (which in Islam is roughly analogous with Messiah), has netted more than 800 victims at government entities, financial institutions, engineering and critical infrastructure operations in the Middle East...

While its discovery immediately evoked comparisons to the Flame malware used to disrupt Iran's nuclear program, separate analyses released on Tuesday by both companies cataloged significant differences between the two campaigns. Madi, for instance, wielded no zero-day vulnerabilities, contained amateur coding practices, and relied on the gullibility of its victims. Flame, by contrast, boasted world-class cryptographic breakthroughs and other hallmarks that could have come only from state-sponsored developers.

"While we couldn't find a direct connection between the campaigns, the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern Countries," the analysis from Seculert stated. "It is still unclear whether this is a state-sponsored attack or not."
Seems that the campaign dates back at least to December and originates in e-mails that contain an array of news articles, videos, and religious themed images depicting the wilderness or tropical settings, like this one:



The malware has the ability to log keystrokes, capture screenshots, and siphon any messages sent to or from a variety of widely used services including Gmail, Hotmail, Yahoo! Mail, Skype, or ICQ...

It can also record audio that's in the vicinity of an infected machine and save it for upload. One version examined by Seculert communicated with a server located in Canada. The researchers said an earlier variant connected the same domain name, but the server was located in Tehran, Iran.
So, who's behind this one now? We could find it out in the coming weeks/months.

Go to the official Kaspersky Blog for more info about the Malware.

NEWS SOURCE #1: Move over Flame Messiah themed Malware targets Iran Israel (via) ArsTechnica
NEWS SOURCE #2: Mahdi (via) Wired

Our thanks to 'Gauss' for this news item!