A trojan has hundreds of systems in the Middle East ge lwa nfecteerd in what is according to Kaspersky a new cyber-espionage campaign seems to be. Trojan Mahdi is much simpler than Flame and Stuxnet, and contains a lot of Persian strings.
Kaspersky Lab and Seculert have a new trojan discovered which particular systems in the Middle East appears to be infecting, and part seems to be of a by states performed spionagecampagne. The trojan was discovered via an e-mail with an infected word document seemed to contain, that after opening the malware binnensmokkelde and a text file with the name Mahdi. The trojan is named after this designation, which according to some islamic directions refers to the savior who the end of time comes, announce.
According to Kaspersky, the trojan-downloader also distributed via PowerPoint presentations and executable files that are disguised as images and video, with the texts of the receiver must tempt to open the files. While the images and videos, giving the user the feeling that nothing is going on, running in the background, keyloggers, screenshot capture programs and datagrabbers, while audio can be recorded and backdoors can be updated. The found backdoors are written in Delphi.
Also Gmail, Hotmail, Yahoo Mail, ICQ, Skype, Google+ and Facebook were monitored, and in addition ran the malware scan on integrated erp/crm systems, business contracts, and financial management systems.
The malware has some design concerns nothing in common with advanced code such as Stuxnet and Flame. According to Kaspersky, the techniques used are simple but effective. The reason that the companies think that the attack is part of staatsspionage, is that the majority of the 800 infected systems in Iran and Israel stood. “Statistics show that the victims are mainly people from the business community who work for the Iranian and Israeli critical infrastructure projects, Israeli financial institutions, technical students from the Middle East and various government agencies in the Middle East”, says Kaspersky.
The two companies managed to gain control over the servers of Mahdi and thus have a good image of the operation. According to Aviv Raff, Chief Technology Officer at Seculert, it is striking that the malicious code a lot of Persian strings is contained: “The attackers spoke this language undoubtedly smooth.”
