Mahdi campaign, ongoing cyber-espionage in the Middle East

Pierluigi Paganini July 18, 2012

Again another great investigation of the excellent team of Kaspersky lab and its partner Seculert firm has discovered an ongoing campaign to conduct a large scale infiltration of computer systems in the Middle East area. The campaign has targeted individuals across several states of the area such as Iran, Afghanistan and also Israel.

The operation discovered has been named “Madi” due the presence of certain strings used by the attackers.

What’s the meaning for Mahdi?
“In Islamic eschatology, the Mahdi is the prophesied redeemer of Islam who will rule for seven, nine or nineteen years before the Day of Judgment and will rid the world of wrongdoing, injustice and tyranny. In Islam Ahmadiyya, the terms “Messiah” and “Mahdi” are synonymous terms for one and the same person.” — Wikipedia

Kaspersky Lab and Seculert have isolated the agents and identified the Madi Command & Control (C&C) servers, identifying more than 800 victims located in Middle East area and other select countries across the globe.

The operation seems dated at least 8 months, interesting the comment of the specialist  Nicolas Brulez from Kaspersky Lab and of Aviv Raff, Chief Technology Officer at Seculert.

Nicolas Brulez declared:

“While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims,”

“Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection.”

“Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language,” said Aviv Raff

The attack is based on two well known techniques to deliver the malicious payloads, the huge quantity of data collected reveals the real targets of the operation in Middle Eastern, such as government agencies, critical infrastructure engineering firms and financial houses. The campaign has hit the entire productive texture and also government institutions.

The success key of this type of attacks is the ability to trick user’s attention on attractive contents proposed by the documents, meanwhile An “Activated Content” PowerPoint effect enables the installation of a backdoor on the target host.

The Madi malware enables remote attackers to steal sensitive files from infected Windows computers, monitor all the activities of infected machines, first investigations suggest that multiple gigabytes of data have been stolen.

The main features implemented in the backdoor are:

  1. Keylogging
  2. Screenshot capture at specified intervals. (see timers below)
  3. Screenshot capture at specified intervals, initiated exclusively by a communications-related event. The event may be that the victim is interacting with webmail, an IM client or social networking site. These triggering sites include Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, google+, Facebook and more.
  4. Update this backdoor
  5. Record audio as .WAV file and save for upload
  6. Retrieve any combination of 27 different types of data files
  7. Retrieve disk structures
  8. Delete and bind – these are not fully implemented yet

In the specific case user’s  “Magic_Machine1123.pps” file deploy the embedded executable within a confusing math puzzle PowerPoint Slide Show able to attract the attention of the victim proposing questions and math instructions.

These kind of attacks are simply to avoid, consider that PowerPoint and similar applications provide an alert to the users explaining the risks related to the execution of unknown software, but that is the most critical phase of malware infection, the capacity of the content proposed to overwhelm user’s resistance.

Too much user’s totally ignore the risks related to this type of attacks, they totally ignore that a power point document or a pdf file could infect their machine, consider also that many user’s are convinced that their machine are immune from these type of attacks, let’s take as example MAC users.

The discovered backdoor is coded in Delphi language, the choice of the language induce experts to think that it has been developed by amateur programmers, such as the use of well known vulnerability, excluding any state-sponsored attack.

The executables are packed with a recent version of the legitimate UPX packer such as UPX 3.07. Unfortunately, that technique and quickly shifting code will get the code past some gateway security products.

When malicous code is executed the dropper creates a large volume of files in “c:\documents and settings\\Printhood”.

Along with UpdateOffice.exe or OfficeDesktop.exe (and other variations on the Office name), hundreds of mostly empty, housekeeping files are created. The dropper releases a list of files keeping configuration data, images and video used to attracts user’s interest, and also some Infostealers downloaded and run as “iexplore.exe” from within the “templates” directory above mentioned.



Usually the content used to attract user’s attention is various, documents containing news relevant for the victims, images related to attractive themes or simply games such as the mentioned puzzle. The key is the “diversion”, distract the user from the installation of malware, paradoxically facilitating it’s deploy ignoring the alert applications.

The lesson important form this massive attacks is that it’s not necessary a 0-day vulnerability to large scale infiltration, in this case through a well known vulnerability and relying on the lack of awareness of cyber threats.

In the past we have also spoken of what we have called one-day exploits and the importance to keep updated the systems, reducing the time necessary to the deploy of a patch once a vulnerability is fixed.

Another technique to circumvent users proposed in the article by Kaspersky team is the misleading file names using the publicly known “Right to Left Override” technique.

The method make possible to present file to the user with a “familiar icon” not related to executable files (e.g. ”.jpg” or “.pdf”).  In this way the user is confident that he is simply opening an innocent file meanwhile he is executing a malicious source code.

The “right to left override” (RLO) character is a special character within unicode, an encoding system that allows computers to exchange information regardless of the language used.

Madi’s files included filenames that appeared on victim systems as harmless  “picturcs..jpg”, dispayed with a common “.jpg” icon, but when that Unicode, or UTF-8 based filename is copied to an ANSI file, the name is displayed as “pictu?gpj..scr”, so it’s an executable “.scr” file.

Once executed the file misleading images or videos are proposed to the user, tricking him, avoiding that he suspects on what is really happening.

How do discover if a machine is infected?

Following the instruction provided by Kaspersky lab

All known compromised systems are known to communicate over HTTP with one of several web servers, such as: 174.142.57.* (3 servers) and 67.205.106.* (one server).

In addition, ICMP PING packets are sent to these servers to check their status. The infostealers are downloaded and executed from the “c:\Documents and Settings\%USER%\Templates” folder. The downloader itself runs from “c:\documents and settings\%USER%\Printhood”, which may contain over 300 files with “.PRI”, “.dll”, and “.TMP” extensions. The infostealers are named “iexplore.exe”, while the downloaders maintained names like UpdateOffice.exe or OfficeDesktop.exe.

At the time of writing, the campaign continues to be in operation and we are working with various organizations to clean up and prevent further infections. Kaspersky products detect the malware as “Trojan.Win32.Madi.*”; some of the older variants are detected as “Trojan.Win32.Upof.*”.

A Personal opinion

Despite it is still unclear whether this is a state-sponsored attack or not, I believe that similar operation could be arranged with the unique intent of cyber espionage. The targeted countries and the tipology of victims suggests that behind the operation could be present a state interested to sensible information.
We are facing with another face of cyber espionage, totally different from Flame case, but not less efficient. Maybe multi cyber espionage campaign have been lauched, different in modus operandi, to increase the probability of success.

Who will be the unnamed “State” behind this operation?

Pierluigi Paganini


you might also like

leave a comment