The Mahdi malware, uncovered by Israeli security firm Seculert working with Kaspersky, was discovered a few months ago operating in the Middle East. The campaign involves the sending of a spearphishing email that includes a malware-laden Word document attachment.
Once the malware is downloaded, Mahdi disguises the communication between the malware and the command-and-control server by delivering updates and data-stealing modules that target critical infrastructure engineering firms, government agencies, financial houses, and academia.
Last week, the Mahdi command-and-control server was shut down, but this week a new version of the Mahdi malware appeared that contains “many interesting improvements and new features”, explained Nicolas Brulez with Kaspersky in a blog. The new command-and-control server is reportedly located in Montreal, Canada.
“Compared to previous variants, there are a number of changes. For instance, when run, the new version creates a MUTEX named ‘miMutexCopy Mohammad Etedali ‘www.irandelphi.ir’. It drops a file named datikal.dll which contains the current date. It checks if poki65.pik is present in folder, which is the keylogger file. The keylogger code is identical to previous variants, but the Hook function is a bit different - code was merged from different subroutines into one single procedure”, Brulez wrote.
“Perhaps the most important change is the infostealer no longer waits for ‘commands’ from the C2 - instead, it simply uploads all stolen data to the server right away”, he added.