Researchers have uncovered a major spearphishing attack targeting foreign embassies and critical infrastructure in Iran that spreads via… a forged article from The Daily Beast.
Russian security firm Kaspersky Lab and Israel’s Seculert released details on the Mahdi spearphishing attack, which uses extensive Persian-language content and name-drops the Muslim messianic figure several times. Mahdi attacks were found on 387 Iranian computers, 54 Israeli computers, and isolated attacks were also discovered in Afghanistan, Saudi Arabia, and the United Arab Emirates.
A version of Mahdi’s spyware examined by Seculert transmitted detailed information such as files, keylogging, and audio recordings to servers in Canada and Iran. According to Kaspersky’s analysis, Mahdi spearphishers sent targets confusing PowerPoint slide shows centered around math puzzles or optical illusions. The optical illusion themed PowerPoint presentations all had dual English language and Hebrew text. In some cases, Madhi spyware was attached to a copy-and-paste of a Daily Beast article on Israeli electronic warfare by writer Eli Lake.
Mahdi was written in Delphi, with the name “Madi” or “Mahdi” mentioned several times in folder names. According to the CTO of security firm RedSeal, Mike Lloyd, “Mahdi should remind anyone of the old idea that people in glass houses shouldn’t throw stones. This latest malware does not show signs of being complex and expensive, but the relative simplicity of the weapon (compared, say, to Flame) does not mean it’s less effective at reaching its goals. Globally, our infrastructure is weak – there have been steady increases in complexity, and networks continue to become more interdependent. Research shows that easy attacks work, and are at the core of the majority of detected breaches. Attackers do not need major nation-state resources to compromise most defenses. The motivation behind this specific outbreak may be international espionage, but these techniques and others demonstrate how easily defenses can be compromised, including for corporate espionage, theft, or acts of war.”
To keep up with news throughout the day, visit our Fast Feed page.
[Image: Flickr user Tom Lin]