Seculert said its research lab discovered a few months ago a spear-phishing attack that included a targeted email with a malware-laden Word document attachment. “Opening the attached file executed a malware dropper, and a "mahdi.txt" file which contained and opened a real Word document”, Seculert explained in a blog.
The blog said that Mahdi disguised the communication between the malware and the command-and-control server by delivering updates and data-stealing modules, such as information gathering, audio recording, and keylogging, using a fake Google web page.
Seculert said they contacted Kaspersky Lab because of the initial similarity between Mahdi and the Flame malware. However, the companies were not able to identify a direct connection between the two malware campaigns.
The Israeli security firm said that, using a sinkhole and Big Data analytics, it was able to identify over 800 victims of the Mahdi malware, which mainly targeted critical infrastructure companies, financial services firms, and government embassies located in Iran, Israel, and several other Middle Eastern countries.
Commenting on the discovery of Mahdi, Mike Lloyd, chief technology officer of RedSeal Networks, said that the malware “does not show signs of being complex and expensive, but the relative simplicity of the weapon (compared, say, to Flame) does not mean it’s less effective at reaching its goals….The motivation behind this specific outbreak may be international espionage, but these techniques and others demonstrate how easily defenses can be compromised, including for corporate espionage, theft, or acts of war."