Mahdi, which is named after files used in the malware, refers to the Muslim messiah who, it’s prophesied, will arrive before the end of time to cleanse the world of wrongdoing and bestow peace and justice before Judgment Day. But this recently discovered Mahdi is only interested in one kind of cleansing – vaccuuming up PDFs, Excel files and Word documents from victim machines.
The malware, which is not sophisticated, according to Costin Raiu, senior security researcher at Kaspersky Lab, can be updated remotely from command-and-control servers to add various modules designed to steal documents, monitor keystrokes, take screenshots of e-mail communications and record audio.
While researchers have found no particular pattern to the infections, victims have included critical infrastructure engineering firms, financial service companies, and government agencies and embassies. Of the 800 targets discovered so far, 387 have been in Iran, 54 in Israel and the rest in other countries in the Middle East. Gigabytes of data were stolen over the last eight months.