An Israeli security firm says an ongoing cyber attack aimed mainly at Iran uses Persian language communications and is named after Mahdi, the “Muslim Messiah.”
Seculert, based in Israel, and Russia's Kaspersky Lab said on Tuesday that they identified more than 800 victims of the operation, Reuters reported. “The targets include critical infrastructure companies, engineering students, financial services firms and government embassies located in five Middle Eastern countries, with the majority of the infections in Iran,” according to the news service.
The cyber attack malware is believed to have begun approximately eight months ago, and whoever is behind it is “for sure somebody who is fluent in Persian,” said Seculert Chief Technology Officer Aviv Raff.
Scarlet and Kaspersky say the Trojan is called “Madhi,” a word that refers to the ultimate redeemer of Islam, because the cyber attackers used a folder with that name."In Islamic eschatology, the Mahdi is the prophesied redeemer of Islam who will rule for seven, nine or 19 years before the Day of Judgment and will rid the world of wrongdoing, injustice and tyranny. In Islam Ahmadiyya, the terms ‘Messiah’ and ‘Mahdi,’” according to Wikipedia.
“The Mahdi Trojan lets remote attackers steal files from infected PCs and monitor emails and instant messages,” according to Reuters, which quoted the two companies. “It can also record audio, log keystrokes and take screen shots of activity on those computers.”
It is not certain whether individuals or countries are behind the malicious software, while the Flame virus discovered last year was attributed to a country or countries. Israel and/or the United States frequently has been considered the source.
Seculert said that is was able to track variants of malware last December. “The malware communicated with the same domain name, but the server was located in Tehran,” the firm stated on its website.
After Kapersky announced in May it had discovered the Flame virus, Seculert contacted the Russian company.
“We collaborated in the weeks that followed [and] we were able to identify over 800 victims,” the Israeli security firm added. “While we couldn't find a direct connection between the campaigns, the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries."
Kaspersky explained in a blog post that one of the PowerPoint variants displays “a series of calm, religious themed, serene wilderness, and tropical images, confusing the user into running the payload on their system….
“[W]hile PowerPoint presents users a dialog that the custom animation and activated content may execute a virus, not everyone pays attention to these warnings or takes them seriously, and just clicks through the dialog, running the malicious dropper.”