Security Experts:

Mahdi Malware Resurrected, Cuts Ties With C&C Servers

After its command and control (C&C) servers were taken offline last week, it was assumed that the Mahdi (or Madi) operation was finished. Mahdi, the name given to malware that was discovered to be targeting systems in the Middle East, has returned however, and its newest version has some creative changes.

Earlier this month, SecurityWeek reported on Mahdi after researchers at Kaspersky Lab and Seculert revealed its existence.

In addition to stealing data from infected Windows computers, it is also capable of monitoring email and instant messages, recording audio, capturing keystrokes and taking screenshots of victims' computers. Working together, researchers at Seculert and Kaspersky sinkholed the malware's command and control servers and monitored the campaign for eight months. What they found was a targeted attack that impacted more than 800 victims in Iran, Israel and other countries from around the globe.

Unfortunately, Kaspersky Lab discovered a new variant of Mahdi on Wednesday. In addition to some code optimizations, this version is able to operate without the need to use a C&C for orders.

“Following the shutdown of the Madi command and control domains last week, we thought the operation is now dead. Looks like we were wrong,” Kaspersky’s Nicolas Brulez explained in a blog post.

“The new version appears to have been compiled on July 25th,” he added. “It contains many interesting improvements and new features. It now has the ability to monitor VKontakte, together with Jabber conversations. It is also looking for people who visit pages containing “USA” and “gov” in their titles.”

The new C&C where compromised data is delivered resides in Canada on iWeb. A full report on the newest variant is here. 

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.