Mahdi Campaign and Cyber Espionage in the Middle East

Thursday, July 19, 2012

Plagiarist Paganini


(Translated from the original Italian)

Once again, another great investigation by the team at Kaspersky lab and its partner Seculert, has discovered an ongoing campaign to conduct a large scale infiltration of computer systems in the Middle East area.

The campaign has targeted individuals across several states in the area such as Iran, Afghanistan, and Israel.

The operation discovered has been named "Madi" due the presence of certain strings used by the attackers.

What's the meaning for Mahdi? "In Islamic eschatology, the Mahdi is the prophesied redeemer of Islam who will rule for seven, nine or nineteen years before the Day of Judgment and will rid the world of wrongdoing, injustice and tyranny. In Islam Ahmadiyya, the terms "Messiah" and "Mahdi" are synonymous terms for one and the same person." -- Wikipedia

Kaspersky Lab and Seculert have isolated the agents and the Mahdi Command & Control (C&C) servers, identifying more than 800 victims located in Middle East area and other select countries across the globe.

(click image to enlarge)

The operation seems to date back at least eight months. Comments from specialist  Nicolas Brulez of Kaspersky Lab and from Aviv Raff, Chief Technology Officer at Seculert are quite interesting.

Nicolas Brulez declared:

“While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims...”

“Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection.”

Aviv Raff said:

“Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language."

The attack is based on two well known techniques used to deliver malicious payloads, and the huge quantity of data collected reveals the real targets of the operation are government agencies, critical infrastructure engineering firms and financial houses.

(click image to enlarge)

The key to the success of this type of attack is the ability to trick users in spear-phishing operations with attractive content headings for tainted documents, in this case a PowerPoint presentation which enabled the installation of a backdoor on the targeted system.

The Mahdi malware enables remote attackers to steal sensitive files from infected Windows computers, monitor all the activities of infected machines, and the investigation suggests that multiple gigabytes of data have been stolen.

The main features implemented in the backdoor are:

  1. Keylogging
  2. Screenshot capture at specified intervals. (see timers below)
  3. Screenshot capture at specified intervals, initiated exclusively by a communications-related event. The event may be that the victim is interacting with webmail, an IM client or social networking site. These triggering sites include Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, Facebook and more.
  4. Updates for the backdoor
  5. Recording of audio as .WAV file and save for upload
  6. Retrieval of any combination of 27 different types of data files
  7. Retrieval of disk structures
  8. Deletes and bind – but these are not fully implemented yet

In this specific case, users'  "Magic_Machine1123.pps" file deploys the embedded executable within a confusing math puzzle PowerPoint Slide Show proposing questions and math instructions.

These kinds of attacks are simple to avoid, considering that PowerPoint and similar applications provide an alert to the users explaining the risks related to the execution of unknown software, but that is the most critical phase of malware infection, the capacity of the content proposed to overwhelm user's resistance.

(click image to enlarge)

Too often users totally ignore the risks related to these types of attacks, they totally ignore that a PowerPoint document or a pdf file could infect their machine, and consider also that many users are convinced that their machines are immune to these types of attacks.

The executables are packed with a recent version of the legitimate UPX packer, such as UPX 3.07. Unfortunately, this technique and the quickly shifting code will get the malware past some gateway security products.

When the malicious code is executed the dropper creates a large volume of files in “c:\documents and settings\\Printhood”.

Along with UpdateOffice.exe or OfficeDesktop.exe (and other variations on the Office name), hundreds of mostly empty, housekeeping files are created. The dropper releases a list of files keeping configuration data, images and video used to attracts targets interest, and also some info-stealers are downloaded and run as “iexplore.exe” from within the “templates” directory above mentioned.

(click image to enlarge)


The important lesson from this massive attack is that it's not necessary to use a 0-day vulnerability to infiltrate on a large scale.

In the past we have also spoken of what we have called one-day exploits and the importance of keeping systems updated, and reducing the time necessary to the deploy of a patch once a vulnerability is fixed.

Another technique to circumvent protections proposed in the article by the Kaspersky team is the use of misleading file names and the the widely known "Right to Left Override" technique.

The method makes possible the ability to present a file to the user with a "familiar icon" not related to executable files (e.g. ”.jpg” or “.pdf”).  In this way the user is confident that he is simply opening an innocent file, meanwhile he is executing a malicious source code.

The “right to left override” (RLO) character is a special character within Unicode, an encoding system that allows computers to exchange information regardless of the language used.

Mahdi’s files included filenames that appeared on victim systems as harmless  "picturcs.jpg", displayed with a common “.jpg” icon, but when that Unicode, or UTF-8 based filename is copied to an ANSI file, the name is displayed as "pictu?gpj..scr", so it's an executable ".scr" file.

(click image to enlarge)

Once executed, the file's misleading images or videos are used to the target.

How do discover if a machine is infected?

Following the instruction provided by Kaspersky lab

"All known compromised systems are known to communicate over HTTP with one of several web servers, such as: 174.142.57.* (3 servers) and 67.205.106.* (one server)."

"In addition, ICMP PING packets are sent to these servers to check their status. The infostealers are downloaded and executed from the “c:\Documents and Settings\%USER%\Templates” folder. The downloader itself runs from “c:\documents and settings\%USER%\Printhood”, which may contain over 300 files with “.PRI”, “.dll”, and “.TMP” extensions. The infostealers are named "iexplore.exe", while the downloaders maintained names like UpdateOffice.exe or OfficeDesktop.exe."

"At the time of writing, the campaign continues to be in operation and we are working with various organizations to clean up and prevent further infections. Kaspersky products detect the malware as “Trojan.Win32.Madi.*”; some of the older variants are detected as "Trojan.Win32.Upof.*"."

A Personal opinion

Despite that it is still unclear whether this is a state-sponsored attack or not, I believe that similar operations could be arranged with the unique intent of cyber espionage. The targeted countries and the typology of victims suggests that behind the operation could be present a state interested to sensitive information.

We are faced with another instance of cyber espionage, totally different from the Flame case, but not less efficient. Perhaps multiple cyber espionage campaigns have been launched, different in their modus operandi, to increase the probability of success.

Who will be the "unnamed State" behind this operation?


Cross-posted from Security Affairs

Possibly Related Articles:
Viruses & Malware
Information Security
malware Social Engineering Attacks Malicious Code Exfiltration Cyber Espionage Middle East Mahdi
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.