Researchers said today that they have noticed some new features and
changes to the data-stealing malware Mahdi and have uncovered a
reference to "Flame," which could potentially indicate some connection
to the malware of the same name that also has numerous infections in Iran.
"Last night, we received a new version of the #Madi malware. Following
the shutdown of the Madi command and control domains last week, we
thought the operation is now dead. Looks like we were wrong, Nicolas
Brulez of Kaspersky Labs wrote in a post on its SecureList blog.
The new version, compiled just today, contains "many interesting
improvements and new features. It now has the ability to monitor
VKontakte, together with Jabber conversations. It is also looking for
people who visit pages containing 'USA' and 'gov' in their titles. In
such cases, the malware makes screenshots and uploads them to the C2,"
or command-and-control server, he said. The new "USA" checks could
indicate a shift in focus from targets in Israel to targets in the U.S.,