Security researchers have discovered yet another piece of malware that appears to be targeting computer systems in the Middle East.
Dubbed “Mahdi,” it was discovered about one and a half months after researchers found the Flame malware, which also hit computers in that region.
It relies on simple, well-known attack techniques rather than sophisticated ones.
Far From the Mahdi-ing Crowd
Mahdi “is a Trojan horse which is designed to log keystrokes, capture screenshots, record audio and steal files such as documents from an infected system,” Roel Schouwenberg, a senior researcher at Kaspersky Lab, told TechNewsWorld.
It uses social engineering to spread.
Mahdi “seems to launch spear phishing attacks with attachments, where the attack is disguised as a legitimate file, such as a PowerPoint file or an executable,” Alex Horan, senior product manager at Core Security, said. “The attackers choose explicit targets and send the malware to them.”
Temptation Is a Terrible Thing
The Mahdi Trojan uses two different social engineering schemes, Kaspersky Labs said.
One consists of using attractive images and confusing themes using PowerPoint slide shows that contain embedded Mahdi Trojan downloaders. For example, the “Magic_Machine1123.pps” attachment delivers an embedded executable within a confusing math puzzle. The slides are often delivered within password-protected zip archives.
An “Activated Content” PowerPoint effect enables executable content within these attachments to run automatically. The downloaders then fetch and install backdoor services and related housekeeping data files on the victim’s PC, Kaspersky Labs said. PowerPoint does put up a dialog warning users that the custom animation and activated content in the slide may execute a virus, which most people tend to ignore.
The other technique Mahdi uses is to send out executables with misleading filenames using the Right to Left Override Technique, Kaspersky Labs said. These filenames appear as image files with “.jpg,” “.pdf” or other extensions. When a filename with a “.jpg” extension is copied to an ANSI file, the name is displayed as “pictu?gpj.scr.” When victims click on the file, they unknowingly run the “scr” executable.
“Attackers also still choose to name their files ‘something.jpg.exe’ and people may mistake this executable for a jpeg image,” Schouwenberg said. “I’d like to see the overall issue of double extensions addressed.”
Not So Clear on Who and Why
Mahdi disguises the communication between the malware and its command and control server by delivering updates and modules through a legitimate-looking Google webpage, Seculert said. The actual module code is base 64 encoded and hidden within the HTML of the Google-like webpage.
Victims include critical infrastructure companies, financial services and government embassies in Iran, Israel and other countries in the Middle East, Seculert stated. The setup of the operation might indicate it required a large investment and financial backing.
However, it’s not yet clear whether or not Mahdi is indeed state sponsored, or who’s behind it.
Never Mind the Oracle
The backdoors were apparently coded in Delphi, which is an integrated development environment from Borland originally developed as a rapid application development tool for Windows.
This and the quality of the code “suggests that the attackers were either not experienced or were rushing the project,” Kaspersky’s Schouwenberg said. “We don’t really see high-level programming languages being used by experienced attackers who write backdoors.”
Mahdi “seems simpler than Flame and Stuxnet, but being simpler doesn’t mean less effective,” Core Security’s Horan told TechNewsWorld. “From all accounts the malware was effective, which is the goal.”
Further, while security experts agree that the Flame malware was bristling with encryption routines, some contend that those routines are outdated and can easily be circumvented by modern antimalware techniques.
Prince of Persia
The authors of the “Mahdi” malware appear to be fluent in the Farsi language and to know the Persian calendar. However, that in itself is meaningless.
“All this tells us is that the attackers know Farsi,” Kaspersky’s Schouwenberg pointed out.
“If I wanted to cast suspicion somewhere, then using a language like that would be one of the first things I would do,” Core Security’s Horan said.