Dubai: Security experts have uncovered an ongoing cyber espionage campaign targeting Iran and other Middle Eastern countries that they say stands out because it is the first such operation using communications tools written in Farsi.
Kaspersky Labs and Seculert researchers have identified more than 800 victims of the bug over an eight-month period, which has been dubbed Madi or Mahdi.
Once installed, the malware recorded every move the user made, stealing login details, taking screenshots of computer activity like email or social networking exchanges, and recording audio. In eight months, multiple gigabytes of data were collected, according to Seculert.
The spyware hit at least 387 computers in Iran, 54 in Israel, 14 in Afghanistan, six in the UAE and four in Saudi Arabia, the researchers said. They refused to identify the targets, but said they included crucial infrastructure companies, engineering students, financial services firms and embassies.
“While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims,” said Nicolas Brulez, Senior Malware Researcher, Kaspersky Lab.
“Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection.”
The attack, which is rooted in religious propaganda, was carried out by Middle Eastern hackers who had relocated their servers to Canada. They targeted victims, mostly located in Iran, Israel, and Afghanistan, with emails containing Word documents about missile testing, videos of nuclear explosions, photos of Jesus, and news articles about Israel versus Iran.
“Interestingly, our joint analysis uncovered a lot of Farsi strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language,” said Aviv Raff, Chief Technology Officer, Seculert.
Researches are investigating whether Flame and Madi viruses have any similarities.
“Mahdi is much simple. It’s not anywhere close to Flame and Stuxnet,” said Brulez.
However, “the targeted entities are spread within the members of the attack group, which might suggest that this attack requires large investment or financial backing,” Raff said.
In addition, examination of the malware identified an unusual amount of religious and political “distraction” documents and images that were dropped when the initial infection occurred.
Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.
Kaspersky Lab’s Anti-Virus system detects the Madi malware variants along with its associated droppers and modules, classified as Trojan.Win32.Madi.
