The developers of espionage malware Mahdi, first reported by researchers in February, have been tweaking code so the trojan avoids detection.
The malware is spread through spear phishing emails, where victims click on malicious attachments and download spyware appearing to be .pdf and .jpeg files, or Microsoft PowerPoint slideshows.
Mahdi, which has mainly targeted government entities and financial services firms in Iran, but also Israel, Afghanistan and other neighboring countries, can log keystrokes, record audio and capture screenshots of its victims. Roughly 800 victims have been reported.
Aviv Raff, CTO at Israeli security firm Seculert, which discovered Mahdi earlier this year, said attackers – based on the websites they are targeting for spying – are increasingly searching for victims with ties to the United States.
“Currently, the interesting part is that the new malware versions which have been added have attacked entities that have a connection to the U.S. or visit the U.S. frequently,” Raff told SCMagazine.com on Thursday.
Developers have been aggressively pushing updates through their new command-and-control center, which Seculert researchers blogged about in July.
“We’ve seen dozens of new update pushes in the last few weeks,” Raff said. “Sometimes, even several times a day. Though the malware is identified as unsophisticated, the campaign by attackers has been effective.”
Both Russian anti-virus company Kaspersky Lab and Seculert, which are working together to research Mahdi, have ruled out ties to Flame or other malware making headlines in recent months for targeting industries in the Middle East. The United States and Israel are believed to be behind Flame.
Kurt Baumgartner, senior security researcher at Kaspersky Lab, told SCMagazine.com on Thursday that other new Mahdi developments include attackers potentially using email lists at their disposal to send messages to victims in an attempt to dupe them into installing software infected by Mahdi.
He also added that the malware’s video and audio surveillance capabilities haven’t been used as much as other features.
“I’m not sure they really need it with the data they are already capturing,” Baumgartner said.
[An earlier version of this story incorrectly stated how the attackers were using the email lists.]