Cyber-espionage Mahdi virus spreads further in Middle East

Virus developers have changed the code to evade detection, according to Israel-based Seculert, which said that there have been 150 new victims over the past six weeks. That brings the total number of infections to about 1,000, Reuters reports.

In Islamic tradition, the Mahdi is the prophesied redeemer of Islam who will rule before the Day of Judgment, ridding the world of injustice and tyranny. Appropriately, the spyware virus that takes its name appears to be politically motivated, built to steal files and monitor emails and instant messages. It also sends screenshots and snapshots of audio and keystroke sequences back to its developers.

Threat researcher Kaspersky said that it believes that multiple gigabytes of data have already been stolen, from a variety of targets: infrastructure firms, engineering students, financial services firms and government embassies located in five Middle Eastern countries.

The trojan is not particularly sophisticated, Kaspersky researchers said, and was built using standard building blocks. It’s not clear who the perpetrators are, or if they are aligned with any country’s state-run information-gathering program.

Iran has been targeted in the past, most notably by the Stuxnet Trojan in 2010, which took aim at the country’s nuclear program by invading and compromising a uranium enrichment facility at Nantanz. That gambit was likely state-sponsored, intelligence sources have said, with the New York Times linking the development of the virus to Israeli and US governments.

Kaspersky Lab researchers say that recently, government-sponsored cyberwarfare is on the rise, thanks to deployment of malware like Flame, Duqu, Gauss and Stuxnet.

In April 2012, malware was reported to be shutting down computer systems at businesses throughout Iran. The International Telecommunication Union (ITU) asked Kaspersky Lab to investigate the incidents, during which it discovered Flame and later Gauss at work. The Flame virus was specifically targeted at the Middle East, built for remote listening and control, for long-term surveillance.

Meanwhile, in July, Indian officials said that Indian naval command had been penetrated by an espionage virus perpetrated by Chinese hackers, in an attempt to gather information on trials for the Indian Navy's first nuclear submarine, the INS Arihant.

And, earlier in August the Gauss malware began hassling Lebanese banks, stealing detailed information like browser history, cookies, passwords and system configurations, according to Kaspersky said. Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais, as well as Citibank and PayPal were all involved. Gauss is a “nation-state sponsored cyber-espionage toolkit,” according to Kaspersky. 

What’s Hot on Infosecurity Magazine?