Researchers shed more light on the new file wiping malware dubbed Meteor that was used in the attacks against Iran’s railways earlier this month.
Instead of being used to generate revenue, wiper attacks are used to cause chaos and disruption in an organization.
The Meteor attacks affected the country’s transport ministry and its national train system. It caused the agency’s websites to shut down and disrupted train service. In addition to hacking the railway’s system, the threat actors also targeted Windows devices connected to the local network and locked them with a lock screen.
According to a new report by SentinelOne, the attack against Iran’s railways used a previously unseen file wiper known as Meteor. The attack itself is called MeteorExpress, and the threat actor uses a variety of tools, such as batch files and executables, to wipe a system and lock its Master Boot Record and deploy a screen locker.
The researchers were able to recover some of the attack components that were previously unknown to security researchers who analyzed this threat actor.
The attackers extracted malware files from a RAR archive and added them to a shared network of the Iranian railway. The threat actor then used Windows group policies to run a setup.bat batch file that would then execute various scripts and batch files on the local device.
The batch files would go through a series of steps, including disconnecting the device from the network, terminating Kaspersky antivirus, adding Windows Defender exclusions, extracting malware executables and batch files. Finally, it would launch the Meteor wiper (env.exe or msapp.exe), MBR locker (nti.exe), and screen locker (mssetup.exe).
According to the researchers, the malware shares similarities with the NotPetya wiper, although they didn’t find the nti.exe partition characteristic of that wiper.
“While one’s first instinct might be to assume that the NotPetya operators were involved or that this is an attempt at a false flag operation, it’s important to remember that NotPetya’s MBR corrupting scheme was mostly cribbed from the original Petya used for criminal operations,” security researcher Juan Andres Guerrero-Saade said.
The motives for the Meteor wiper attacks on the Iranian railway are not clear at this time, researchers said.
“We cannot yet make out the shape of this adversary across the fog. Perhaps it’s an unscrupulous mercenary group. Or the latent effects of external training coming to bear on a region’s nascent operators,” concludes SentinelOne’s report. “At this time, any form of attribution is pure speculation and threatens to oversimplify a raging conflict between multiple countries with vested interests, means, and motive.”