Home New Mahdi Strain of Spyware Targets Iran & Israel

New Mahdi Strain of Spyware Targets Iran & Israel

The discovery of the Flame virus earlier this year brought cyberespionage to the international stage. Flame is highly sophisticated spyware, software designed to snoop on infected machines, of unprecedented complexity and scale. But spyware does not need to be created by government-backed hackers to be highly effective. Sometimes simple viruses work just as well. That is the lesson of Mahdi, a new strain of spyware discovered on computers in the Middle East and Iran.

Mahdi (also termed Madi) was discovered by security firm Kaspersky Labs in conjunction with Seculert. The spyware is propagated by a clever ploy known in security circles as spear-phishing. The term phishing refers to using links in social media and email to lure users to visit a malicious website or to download a malicious file. Spear phishing uses the same principle but targets individuals rather than a mass audience.

In the case of Mahdi, individuals in Iran, Israel and a smattering of other Middle Eastern countries received emails linking to a specific article or to download a PowerPoint presentation with religious-themed slides. The targets included employees of critical infrastructure companies, financial services and government agencies, according to Kaspersky Labs’ analysis. The lion’s share of the victims were in Iran (387 of 800 known victims) with 54 cases in Israel. 

The software reportedly performs the following functions:

  • Keylogging
  • Screenshot capture at specific intervals
  • Screenshot capture initiated by a communications-related event, such as when a user opens up a social networking site like Facebook or uses services like Skype or Gmail
  • Backdoor updates
  • Recording, saving and uploading of audio files
  • Retrieval of data files of 27 different types
  • Retrieval of disk structure
  • Deletion and binding (not fully implemented) 

Given the nature of Mahdi and the targets Kaspersky and Seculert identified, it seems to be a cyberespionage attack focused on specific people in the countries where it has been discovered.

From a technical perspective, Mahdi is fairly simple. It does not exploit any Zero Day vulnerabilities (security flaws unknown to security companies or software publishers), nor does it rely on a complex network of command-and-control servers; only four are known to exist.

This type of attack is much more common on the Web than the gargantuan Flame. Graham Cluley, a researcher for security company Sophos, said that the average user is much more susceptible to “run-of-the-mill malware” than something like Flame. 

Dr. Mike Lloyd, chief technology officer of security management company RedSeal Networks, agrees. “Mahdi should remind anyone of the old idea that people in glass houses shouldn’t throw stones,” he said. “This latest malware does not show signs of being complex and expensive, but the relative simplicity of the weapon – compared, say, to Flame – does not mean it’s less effective at reaching its goals. Globally, our infrastructure is weak – there have been steady increases in complexity, and networks continue to become more interdependent.

“Research shows that easy attacks work,” Lloyd continued, “and are at the core of the majority of detected breaches. Attackers do not need major nation-state resources to compromise most defenses. The motivation behind this specific outbreak may be international espionage, but these techniques and others demonstrate how easily defenses can be compromised, including for corporate espionage, theft or acts of war.”

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.