A computer virus campaign has for months been selectively spying on people involved in government and in strategically important industries principally in Iran – but also in Israel and other countries in the Middle East, according to two cybersecurity companies, which cooperated to track the campaign.
The virus, a Trojan horse with an “amateurish” design, contains lines of Farsi, or Persian, the main language spoken in Iran, Seculert and Kaspersky Lab said in news releases Tuesday. It communicates with “command and control” servers, which also contain code in Farsi and dates from the Persian calendar, they said.
“The attackers were no doubt fluent in this language,” said Aviv Raff, Seculert’s chief technology officer.
The malware has a component named after the Shiite messiah “Mahdi,” and an earlier version of the malware once sent data plundered from victims’ computers back to a server in Tehran.
But neither cybersecurity company has pointed a finger at any government.
“It is still unclear whether this is a state-sponsored attack or not,” according Seculert, which is headquartered in Israel. The malware has worked with four different “command and control” servers for over eight months, including one in Canada, the company said.
The partners have “identified more than 800 victims, primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East,” according to Moscow-based Kaspersky Lab.
For the Mahdi component, Seculert said on its blog, there were 387 victims in Iran, 54 in Israel and lesser numbers in other countries.
The espionage campaign is still active, it said.
Seculert first discovered the virus in a suspicious e-mail with a fake Word document attached. Clicking on the file launched a “malware dropper,” which started the viral infection.
At the same time – to fool the user into thinking the malicious file was legitimate – it opened a real document called mahdi.txt. “The content of the document was an article discussing Israel vs. Iran electronic warfare,” according to Seculert.
The virus and the technology used to run the campaign are nothing fancy, but they have worked well enough to steal “multiple gigabytes of data” from “high-profile victims,” according to Kaspersky.
Efforts to reach Iranian authorities for comment have been unsuccessful.
The Iran Project is not responsible for the content of quoted articles.