A new piece of malware called Madi is spreading in the Middle East, and it has a number of the same characteristics as the Flame virus — known to be a major step in cyber-espionage.
The year-old malware comes in the form of a phishing email, which social engineers, or dupes, unsuspecting recipients into opening an attachment. Once open, the malware installs on your system and a real Word document or PowerPoint presentation pops up to make the viewer believe the attachment was legitimate. In one of these cases, the Word document showed an article titled, “Israel’s Secret Iran Attack Plan: Electronic Warfare” by The Daily Beast. Another attachment opened a PowerPoint file (see image above) with “serene images.” The malware in this case was executed on the victim’s system as they paged through the presentation.
The malware is named Madi after the text file it downloads (mahdi.txt) and a number of other places the name is found within the virus. “Mahdi,” as Seculert points out, is a word referencing the savior in Islamic tradition.
Seculert observed the malware’s transmissions to the command and control servers, which occasionally communicated using Farsi. The command and control servers were based in Canada, though Seculert traced early transmissions from the virus back to an original server in Iran.
Madi is capable of keylogging, recording audio, taking screenshots when a communications application (such as IM) is open, and harvesting other types of data from the infected computer. This is very similar to the recently popularized Flame virus. Flame was discovered by Kaspersky Lab, a Russian security analyst firm that is also working with Seculert on Madi. Flame, on the other hand, has already been touted as one of the major pieces of malware to be afraid of today, showing what cyber-espionage can really do.
Kaspersky reports that Madi targets Middle Eastern government entities, “critical infrastructure engineering firms,” financial institutions, and places of research.
Kaspersky is coming out with a second profile of what the malware can do. We will be on watch for any developments.
Image via Kaspersky Lab