Researchers have discovered another piece of espionage malware targeting sensitive organizations in the Middle East, this time siphoning e-mails, passwords, computer files, and nearby conversations from more than 800 PCs operated by critical infrastructure companies, financial institutions, and government agencies.

Researchers from Kaspersky Lab and Seculert have dubbed the malware Madi or Mahdi, which in Islam is roughly analogous with Messiah. The name is based on several strings and handles used by the attackers. While its discovery immediately evoked comparisons to the Flame malware used to disrupt Iran's nuclear program, separate analyses released on Tuesday by both companies cataloged significant differences between the two campaigns. Madi, for instance, wielded no zero-day vulnerabilities, contained amateur coding practices, and relied on the gullibility of its victims. Flame, by contrast, boasted world-class cryptographic breakthroughs and other hallmarks that could have come only from state-sponsored developers.

"While we couldn't find a direct connection between the campaigns, the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern Countries," the analysis from Seculert stated. "It is still unclear whether this is a state-sponsored attack or not."

The campaign dates back at least to December and originates in e-mails that contain an array of news articles, videos, and religious themed images depicting the wilderness or tropical settings. To mask the maliciousness of some of the payloads, the attackers used a technique known as "Right to Left Override" to name some files. By manipulating the Unicode or UTF-8 text of the filenames, they were able to able to make executable code appear as simple image files with titles such as "picturcs.jpg," that were displayed with a common ".jpg" icon. Some of the attached material invites the reader to click on video files. Those who fell for the social-engineering ploy are then infected with malware.

Madi has the ability to log keystrokes, capture screenshots, and siphon any messages sent to or from a variety of widely used services including Gmail, Hotmail, Yahoo! Mail, Skype, or ICQ. It can also record audio that's in the vicinity of an infected machine and save it for upload. One version examined by Seculert communicated with a server located in Canada. The researchers said an earlier variant connected the same domain name, but the server was located in Tehran, Iran.

In all, they identified more than 800 victims who communicated with four different command and control servers over an eight-month period. Some of the communications between the malware and command-and-control servers use the Farsi language, and some of the dates contained in the malware are written in the format of the Persian calendar. Almost half of the infections—387 to be exact—hit Iran. Israel, Afghanistan, the United Arab Emirates, and Saudi Arabia were also targeted with 54, 14, six, and four infections respectively. Seculert researchers said they've been tracking Madi for "several months." The espionage campaign is ongoing.

In the wake of Flame, and the related malware known as Duqu and Stuxnet, the disclosure of yet another piece of malware targeting critical systems in Iran and other Middle Eastern countries is sure to spark widespread intrigue. The lack of any conclusive evidence showing who's behind it is sure to generate more curiosity in the coming weeks and months.

Post updated to remove incorrect detail about Flame zero-day exploits.