Mahdi and AC/DC: The Middle East as a Shooting Range

Monday, July 30, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

The Middle East has always been considered an area of the planet's turbulence for the continuing conflict and political tensions among the states that inhabit it.

In the last two years, the tensions seem to have intensified, and with it has grown the diffusion of malware for cyber espionage and for offensive purposes.

In the eyes of the world, the clock started with the spread of Stuxnet, developed by the U.S. and targeting Iran with the intent to interfere with the country's nuclear program.

In the following months there were findings of new malicious agents of unknown paternity that have hit the same area, we cannot ignore Duqu, Flame malware and the theory of the Tilded platform.

But every place in the world is attacked daily by malware, why we are discussing of Middle East?

Well, in this area the number of malware that have been developed for state sponsored projects surely represents an anomaly. All the examples provided are evidence of the intent of governments to hit its enemies in the cyber space to steal sensitive information or to destroy their critical infrastructure.

About one week ago, thanks to an investigation by the team of Kaspersky lab and its partner Seculert, we have discovered an ongoing campaign to conduct a large scale infiltration of computer systems in the Middle East area. The campaign has targeted individuals across several states in the area such as Iran, Afghanistan and also Israel.

The operation discovered has been named “Mahdi” (or Madi) due the presence of certain strings used by the attackers.

Kaspersky Lab and Seculert have isolated the agents and identified the Mahdi Command & Control (C&C) servers, identifying more than 800 victims located in Middle East area and other select countries across the globe.

The Mahdi malware enables remote attackers to steal sensitive files from infected Windows computers and monitor all the activities of infected machines The first investigations suggest that multiple gigabytes of data have been stolen, and according the experts  he campaign start seems dated at least 8 months.

What's new in the last version detected?

It contains many interesting improvements and also new features. It now has the ability to monitor VKontakte, the major Russian social network, and it is also able to spy on Jabber conversation.

The malware is also able to work silently monitoring user navigation on specific web sites that contains specific keywords such as: "gmail", "hotmail", "yahoo! mail" , "google+", "msn messenger", "blogger", "massenger", "profile", "icq" , "paltalk", "yahoo! messenger for the web", "skype", "facebook" ,"imo", "meebo", "state" , "usa" , "u.s", "contact" ,"chat" ,"gov", "aol", "hush", "live", "oovoo", "aim", "msn", "talk", "steam", "vkontakte", "hyves", "myspace", "jabber", "share", "outlook", "lotus",  and "career".

Once the agent notes that user visits one of the monitored sites, it takes screenshots and uploads them to the control server.

Even if the keylogger functionality is the same as the older version, the new variant has various changes, the most meaningful is the behavior of the info stealer that no longer waits for “commands” from the C2 instead, it simply uploads all stolen data to the control server right away.

Where are the new command and control servers located?

The Kaspersky team has localized them as still being in Montreal, meanwhile previous servers were also located in Tehran.

While it's clear that the operation is still continuing despite the discovery of the malware, the campaign has the unique intent to collect the greatest amount of information possible.

It's not clear who is behind the attack, but is evident that the campaign is state-sponsored with cyber espionage intents.

As introduced in the title of the post, the Middle East is becoming shooting range for malware diffusion, and as mentioned I refer of course to state sponsored attacks that demonstrate the increasing interest in cyber warfare by governments.

In other news that has recently alerted the international security community, a scientist working at the Atomic Energy Organisation of Iran (AEOI) declared that computer systems have been hit by a new cyber-attack.

This new attack is really unique because it forced computers to play AC/DC’s Thunderstruck at full volume in the middle of the night.

F-Secure was the first security firm informed of the attack, it has in fact received an  email from AEOI that recited:

"I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom."

"According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert."

"There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing 'Thunderstruck' by AC/DC."

Why would the attacker want to make noise?

I find only two simple explanations:

  • it is a diversionary operation that is trying to cover a real attack. It could be also used to test the enemy defense trying to discover the potential impact of a new malware.
  • the malware has been developed by non-government team, it could be also the opera of isolated group of hackers, any way to give a valid judgment are necessary more info on the event.

The diffusion of malware in the Middle East area must be considered a serious phenomenon for several reason, and consider that cyberspace has no boundaries and the effect of malware release is not limited to a specific area. Stuxnet gives us a great example. Are we really ready to mitigate these cyber weapons escaped the control?

For sure we are still too vulnerable to consider ourselves as secure.

Another remarkable aspect is the risk that these agents could be reverse engineered to create new variants more aggressive than the original malware. The operations could be performed by governments but don't forget the increasing phenomenon of cyber terrorism.

As stated several times, we are in the middle of a cyber war!

References

Cross-posted from Security Affairs

Possibly Related Articles:
9221
Infosec Island Viruses & Malware
Information Security
malware Cyberwar Attacks Stuxnet Cyber Espionage Tilded Middle East Mahdi AC/DC
Post Rating I Like this!
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Pierluigi, unless you have some other intel, I would suggest being rather circumspect about that email to Mikko and the story around the AC/DC thing. I have looked, I have asked, and I have heard nothing solid that it ever happened.
K.
1343743209
03b2ceb73723f8b53cd533e4fba898ee
Pierluigi Paganini Hi Krypt3ia ... I have you same info ... it seems the work of indipendent hackers that used Metaexploit ... nothing else
have a great day
PL
1343743745
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.