Mahdi Malware Makers Push Anti-American Update

  /     /     /  
Publicated : 22/11/2024   Category : security


Mahdi Malware Makers Push Anti-American Update


Spy malware, seemingly built by Iranians, gets update that searches for USA and gov on targeted machines, security researcher says at Black Hat.



Mounting evidence suggests that the Mahdi malware was built by Iranians, for the primary purpose of spying on people inside Iran.
Notably, while the four command-and-control (C&C) servers controlling Mahdi-infected PCs are based in Canada, the oldest sample of the
Mahdi malware
discovered thus far--dating from December 2011--interfaced with a C&C server located in Tehran, Iran.
What accounts for the Iran-based C&C server? I think it was a mistake, said Aviv Raff, CTO of Israel-based Seculert, in an interview at Black Hat 2012 in Las Vegas. That is, whoever developed Mahdi may have inadvertently released into the wild versions which still connected to a test server, rather than production servers that had been set up overseas and meant to disguise the malwares origins.
But the target of Mahdi could be changing. According to Kasperksy, whoever is behind the malware launched a new variant Wednesday, which appeared to have been compiled the same day. Following the shutdown of the Madi command and control domains last week, we thought the operation is now dead. Looks like we were wrong, said Nicolas Brulez, a security researcher at Kaspersky Lab, in a
blog post
. (Kaspersky refers to the malware as Madi.)
[ Strengthen corporate security with tips from the FBIs terrorism-combating campaign. See
Black Hat: 6 Lessons To Tighten Enterprise Security
. ]
The new malware contains a number of refinements, such as not waiting for instructions from a C&C server. Instead, the malware simply grabs all targeted information and uploads it to a designated server, which, as with previous versions of the malware, is also hosted in Canada. In addition, the malware has been revamped to watch for a number of keywords, including USA and gov.
The Madi campaign is still ongoing and its perpetrators are busy shipping out new versions with improved features and new tricks, said Brulez. The additional checks for USA and gov might indicate a shift of focus from targets in Israel to the USA.
Seculert first spotted Mahdi several months ago, as a malicious Trojan application hidden inside a Word document that was distributed via a
spear-phishing attack
. The email claimed that the attachment contained information about Israels potential electronic warfare capabilities against Iran. The malware earned its name via a string of text inside the code, spotted by Seculert researchers, that included the word Mahdi, which in Islamic eschatology is
synonymous with Messiah
.
After Kaspersky Lab went public last month with its
discovery of the Flame malware
, Seculert reached out, asking whether Mahdi might in any way relate to Flame, which researchers later
linked to Stuxnet
. The two companies researchers then worked together, sinkholing the botnet to study it, and announced their Mahdi-related findings last week.
The Madi info-stealing Trojan enables remote attackers to steal sensitive files from infected Windows computers, monitor sensitive communications such as email and instant messages, record audio, log keystrokes, and take screenshots of victims activities,
according to Kaspersky
. Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo Mail, ICQ, Skype, Google+, and Facebook.
The two security firms found no apparent connections between Mahdi and Flame. We started sinkholing Mahdi and we found that most of the targeted entities were coming from Iran and Israel, very similar to Flame, but that was it with the similarities, said Raff. But we didnt find anything specific about the malware itself that would say there was something similar between those campaigns.
Wednesday, Seculert also released a blog post with
updated Mahdi research
, based on its ongoing teardown of the Mahdi malware and its associated C&C servers, as well as a
free tool
for spotting whether a PC is infected by the malware. Seculert found numerous clues suggesting that the malware had been built by Iranians. We were able to identify strings within the communication that were in Farsi. Also, part of the strings were dates that were in the Persian calendar, which is different than the Gregorian calendar, said Raff, noting that most developers prefer to code in their native tongue.
Previously, four C&C servers controlled all Mahdi infections. The interesting part is that one server is used mostly with Israeli targets, while the other three are for Iranian and Arab targets, said Raff. The one used for Israel also targets other Middle Eastern countries, but there are no Israeli targets on the other three. All four C&C servers were also hosted by the same provider in Canada, although a whois lookup on the IP addresses claims that theyre really based in Azerbaijan, and in one case on the premises of that countrys Royal Bank. But according to Seculert, we confirmed with several ISPs that the physical addresses of the C&C servers are indeed located in the headquarters of the Canadian hosting provider.
According to Seculert, about half of the 800 known systems infected by Mahdi--all via targeted attacks--have been in Iran, while roughly 7% of infections were in Israel. Looking deeper into the Mahdi victims IP addresses, we did find a few dozen IP addresses which seem to be from non-Middle-Eastern countries, such as the U.S and U.K., according to Seculert, although it appeared that the infected machines were owned by people who were only visiting those countries. But those Seculert findings differed from
research
subsequently published by Symantec, which claimed that 72% of all Mahdi infections involved PCs in Israel.
What accounts for that discrepancy? Symantec may have come up with 72% because they were only looking at variants which communicated with the C&C servers targeting entities from Israel, according to Seculerts latest analysis. Or, maybe they are looking only at their customers machines which they found to be infected with Mahdi. As an American company, Symantec is not allowed to sell their products to Iran, and therefore they cant see infections in Iran. But Raff noted that Seculerts analysis had come from identifying PCs that had connected to the Mahdi botnet itself.
One final piece of evidence that the botnet was built by Iranians involves its naming conventions. Each bot node [infected PC] receives a unique identifier, Raff said, which is a text string combining reused prefixes with unique text strings, so that any individual machine can be quickly identified and controlled. Some of the words used to construct those prefixes include these names:
Chabehar
,
Iranshahr
,
Khash
,
Nikshahr
,
Saravan
, and
Zabol
. All of those names refer to cities or counties in Iran. Another prefix also used by developers, meanwhile, was Flame.
Is that, finally, evidence of a connection between Mahdi and Flame? The answer is likely no. According to Seculert, the first targeted victim with the Flame prefix began communicating with the C&C server in early June, right after the Kaspersky Lab discovery of Flame went public. In other words, the inclusion of the word Flame in Mahdi appeared to have been made after Flame became public knowledge.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mahdi Malware Makers Push Anti-American Update