By Madison Ruppert: Yet
another virus primarily targeting countries in the Middle East has been
discovered, this time called Mahdi, after
the Islamic Messiah who will,
according to Islam, rule the earth before the Day of Judgment.
Much like the astoundingly complex virus known as Flame, this virus can be modified remotely by the attacker in order to record keystrokes, remove documents, monitor email communications and even record audio.
However, according to Costin Raiu, senior security researcher at Kaspersky Lab, this piece of malware is not sophisticated, unlike Flame.
The malware originally “several months ago” and has targeted over 800
systems with the vast majority in Iran, with Israel coming in a distant
second, according to Israeli Seculert and Russian Kaspersky Lab.
Interestingly, on Seculert’s July 17 blog they revealed, “The variant we examined communicated with a server
located in Canada. We were able to track variants of the same malware
back to December 2011. Back then, the malware communicated with the same
domain name, but the server was located in Tehran, Iran.”
The potential similarities between Flame and Mahdi were so striking
that Seculert originally contacted Kaspersky Lab in order to examine the
two pieces of malware, although ultimately they “couldn’t find a direct
connection between the campaigns.”
However, they did find that victims of the software known as Mahdi “include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries.”
Seculert makes it very clear that they do not know if there is a
nation behind this effort. Previous Middle Eastern-focused viruses like Stuxnet, Duqu and Flame have all been traced back to the U.S. and Israel by researchers.
“It is still unclear whether this is a state-sponsored attack or not.
The targeted organizations seem to be spread between members of the
attacking group by giving each victim machine a specific prefix name,
meaning that this operation might require a large investment and
financial backing,” Seculert states on their blog.
This assertion, however, seems a bit odd considering that Mahdi is
“not sophisticated” according to Kaspsersky Lab’s Raiu. When dealing
with potentially state-sponsored malware, we usually see researchers
from groups like Kaspersky Lab saying that they are quite complex
indeed.
Kaspersky Lab even pointed out that Delphi, the code in which parts
of the malware were written, “Would be expected from more amateur
programmers, or developers in a rushed project.”
Interestingly, according to the CTO of Seculert, Aviv Raff, Mahdi
first came to their attention last February when a so-called
“spear-phishing e-mail,” as Threat Level puts it, with a Microsoft Word attachment was discovered.
This document, if opened, would then open an article from November
2011 on Israel’s electronic warfare plans against Iran published on the Daily Beast.
Mahdi would also launch an executable on the victim’s system which
dropped so-called backdoor services which then contacted a command and
control, or C&C, server in order to receive instructions and/or other malware components.
Alternative versions uncovered by researchers included infected PDFs
and PowerPoint attachments, some of which contained images of tropical
locations or religious themes.
These PowerPoint presentations confused people into actually allowing the virus to infect their machines. According to Kaspersky Lab,
one of the Mahdi PowerPoint variants shows the user “a series of calm,
religious themed, serene wilderness, and tropical images, confusing the
user into running the payload on their system.”
“While PowerPoint presents users a dialog that the custom animation
and activated content may execute a virus, not everyone pays attention
to these warnings or takes them seriously, and just clicks through the
dialog, running the malicious dropper,” Kaspersky Lab explains.
Kaspersky Lab notes, “Large amounts of data collection reveal the
focus of the campaign on Middle Eastern critical infrastructure
engineering firms, government agencies, financial houses, and academia.
And individuals within this victim pool and their communications were
selected for increased monitoring over extended periods of time.”
Interestingly, a reader informed Threat Level that the Hebrew
utilized in the PowerPoint slides on one of the Mahdi variants “is
incorrect and awkwardly phrased in several places and suggests that the
author of the slides is not a native-Hebrew speaker.”
In her Threat Level article Kim Zetter draws some interesting
conclusions. Zetter states that the infections in both Iran and Israel –
with the vast majority (387 in Iran vs. 54 in Israel according to
Seculert) of infections in Iran – could indicate that Iran is somehow
behind this infection.
Personally, I find such a leap quite absurd, although in the next
sentence Zetter admits, “But the malware could also be a product of
Israel or another country that’s simply been salted with Farsi strings
in order to point the finger at Tehran.”
Seeing as we’ve seen these cyberattacks on Iran coming from a group
of usual suspects, namely, the United States and Israel, why would we
suddenly expect the nation continuously targeted by similar attacks to
turn around and infect their nation’s own machines?
That being said, Zetter might have grounds if she opted to highlight
the seemingly rudimentary nature of the malware instead of the Farsi
strings which, according to Raff indicate that “We are looking at a
campaign that is using attackers who are fluent in Farsi.”
Seeing as U.S. officials have already confirmed that members of the Iranian terrorist group commonly referred to as the MEK were, in fact, trained by the Israeli Mossad, I would not for a moment be surprised if Israel had many fluent Farsi speakers they could utilize for such an operation.
In a seeming attempt to support the conclusion that the virus is of
Iranian origin, Zetter links a virus revealed on an Israeli site in
February which “came via a spear-phishing email that included a PowerPoint presentation and was sent to several bank employees.”
“The malware includes a file called officeupdate.exe and tries to contact a remote server in Canada via a server in Iran,” Zetter adds.
However, Zetter then admits that the article in no way identifies the
malware as Mahdi, writing, “Although the article does not directly
identify the malware as Mahdi, it has multiple characteristics that
match Mahdi, and it struck Bank Hapoalim around the same time that
Seculert says it discovered Mahdi.”
One must wonder why highly secret Israeli cyberwarriors would target
one of their nation’s top banks, thus strengthening Zetter’s
not-so-subtle finger pointing in the direction of Iran.
Zetter, described as, “a senior reporter at Wired covering
cybercrime, privacy, security and civil liberties,” must still explain
why Iran, the target of the majority of highly sophisticated malware
(which all just happens to be linked to the U.S. and Israel), would
target themselves with malware.
Personally, I just don’t see why that is an even remotely reasonable
conclusion to draw from the limited amount of evidence at hand.
No comments:
Post a Comment