Security firms are warning of the Mahdi Trojan, newly discovered spyware being targeted against employees of a variety of critical infrastructure and government agencies.
We have observed Trojan.Madi communicating with command-and-control servers hosted in Iran and, more recently, Azerbaijan.
Mahdi first appeared in December 2011. It was detected by researchers at Kaspersky Lab, which released analysis of the Mahdi Trojan spyware attack on Tuesday. Security researchers at Kaspersky said the attacks have targeted "critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries."
Targeted attacks are ongoing, though most antivirus software can detect the malware. It infects computers by tricking victims into opening an email attachment. The attack requires users to run an executable file, enabling Mahdi to infect the victim's machine. Kaspersky researchers said it detected the Trojan embedded in a Microsoft PowerPoint containing "confusing themes."
Once a computer is infected with Mahdi, it can steal information, often using a keylogger, which can record keystrokes and send the data to a remote server controlled by the cybercriminals.
In its analysis of the Mahdi spyware attacks, Symantec Corp. said it has detected the Trojan on systems in the United States and New Zealand. The Mahdi Trojan can also update itself, receiving orders from the cybercriminals behind the malware. "We have observed Trojan.Madi communicating with command-and-control servers hosted in Iran and, more recently, Azerbaijan," Symantec said.
Symantec has assessed the risk level of the Mahdi Trojan to be low since it is being used in an extremely limited number of targeted attacks. In addition to oil companies and government agencies, Symantec said it has detected the Trojan on infected systems in U.S.-based think-tanks and a foreign consulate.
"Where high-profile attacks such as Flame, Duqu and Stuxnet utilize different techniques to exploit systems -- including leveraging zero-day attacks -- the Mahdi attack relies on social engineering techniques to get onto targeted computers," Symantec said.
Israel and Saudi Arabia have experienced the highest percentage of Mahdi infections in the past seven months, according to the security firm. Symantec said its investigation indicates that Mahdi is the work of a "Farsi-speaking hacker with a broad agenda."