Skip to main content

Madi malware ravages Middle East

Another malware campaign has hit the Middle East, with a focus on the region's critical infrastructure engineering firms, government agencies, financial houses, and academia, according to Kaspersky Labs and Seculert.

Over an eight-month period, researchers identified more than 800 victims of the bug, which has been dubbed Madi or Mahdi, which translates to Messiah.

Once installed, the malware recorded every move the user made, stealing login details, taking screenshots of computer activity like email or social networking exchanges, and recording audio. In eight months, multiple gigabytes of data were collected, according to Seculert.

The attack, which is rooted in religious propaganda, was carried out by Middle Eastern hackers who had relocated their servers to Canada. They targeted victims, mostly located in Iran, Israel, and Afghanistan, with emails containing Word documents about missile testing, videos of nuclear explosions, photos of Jesus, and news articles about Israel versus Iran. Seculert received a similar email several months ago, prompting its investigation; opening it executed a malware dropper and a mahdi.txt file.

Given that Kaspersky had discovered a similar vulnerability that targeted the Middle East, dubbed Flame, Seculert contacted Kaspersky to investigate any similarities between Flame and Madi.

"We collaborated in the weeks that followed," the blog said. Seculert analysed communications between the malware and the servers, while Kaspersky kept an eye on how the virus affected infected endpoints.

The labs couldn't find a direct connection between Madi and Flame, and are still unsure whether or not the latest was a state-sponsored attack. Most Madi victims are from Iran, Israel, and Afghanistan, though the United Arab Emirates and Saudi Arabia were also targeted.

"At the time of writing, the campaign continues to be in operation and we are working with various organisations to clean up and prevent further infections," Kaspersky said. The lab expects to post further blogs examining the broader scope of the Madi malware, including infrastructure, communications, data collection, and victims.

According to Kaspersky, a series of calming slides attached to malicious emails could easily confuse recipients into obliviously running the virus. According to slides Kaspersky examined, the computer warns users before they proceed, telling them "You are about to activate an inserted object that might contain viruses or otherwise be harmful to your computer."

"Like many pieces of this puzzle, most of the components are simple in concept," Kaspersky said on its blog, "but effective in practice."

Many Madi victims were tricked, the lab said, into opening what they thought were innocent photos, ending in the common ".jpg" file extension, which was in fact an executable ".scr" file that allowed the hackers to spy on the user's every keystroke, Kaspersky said.

Last month, a report from the Washington Post suggested that the US and Israeli governments crafted Flame, as well Stuxnet, in order to slow the progression of Iran's nuclear program.