In recent attacks on Iran’s rail system, a new file-cleaning malware called Meteor was discovered.
Earlier this month, Iran’s Ministry of Transport and the national train system suffered a cyberattack, causing the agency’s websites to shut down and disrupting train service. Threat actors also posted messages on railroad message boards stating that trains were delayed or canceled due to a cyberattack.
Some of these messages instructed passengers to call a phone number for more information, which is from Supreme Leader Ali Khamenei’s office.
Hackers who post on railroad message boards.
In addition to trolling the railroad, the threat actors blocked Windows devices on the network with a lock screen that prevented access to the device.
New meteorite windshield wiper used in Iran attacks
In a new report from SentinelOne, security researcher Juan Andrés Guerrero-Saade revealed that the cyberattack on Iran used a never-before-seen file cleaner called Meteor.
A cleaner is malware that intentionally deletes files on a computer and makes it unable to boot.
Unlike ransomware attacks, destructive wiper attacks are not used to generate revenue for attackers. Instead, their goal is to cause chaos in an organization or distract managers while another attack occurs.
While Iranian cybersecurity firm Aman Pardaz previously analyzed the windshield wiper, SentinelOne was able to find additional missing components to provide a clearer picture of the attack.
“Despite the lack of specific indicators of compromise, we were able to recover most of the attack components described in the post along with additional components that had been lost.” Explain Guerrero-Saade in the SentinelOne investigation.
“Behind this outlandish story of stopped trains and simplistic trolls, we found the fingerprints of an unknown attacker.”
The attack itself is called ‘MeteorExpress’ and uses a suite of executable and batch file tools to clean up a system, lock the device’s Master Boot Record (MBR), and install a screen locker.
MeteorExpress attack chain
To initiate the attack, the threat actors extracted a RAR file protected with the password ‘hackemall’. The attackers then added these files to a shared network accessible to the rest of the computers on the Iranian railway network.
The threat actor then configured Windows Group Policies to launch a batch file setup.bat which would then copy various executables and batch files to the local device and run them.
Batch file setup.bat
As part of this process, the batch files would go through the following steps:
- Check if Kaspersky antivirus was installed and end the attack if found.
- Disconnect the device from the network.
- Add Windows Defender exclusions to prevent malware from being detected.
- Extract various malware executables and batch files on the system.
- Clear the Windows event logs.
- Delete a scheduled task called ‘AnalyzeAll’ in the Windows Energy Efficiency Diagnostics directory.
- Use the Sysinternals ‘Sync’ tool to flush the file system cache to disk.
- Launch the Meteor Cleaner (env.exe or msapp.exe), MBR Locker (nti.exe), and Display Locker (mssetup.exe) on the computer.
When completed, the device will not be able to boot, its file will be erased, and a screen locker will be installed showing the following wallpaper before the computer restarts for the first time.
Loose MeteorExpress display
While SentinelOne was unable to find the ‘nti.exe’ MBR locker, researchers at Aman Pardaz claim that it shares an overlap with the notorious NotPetya cleaner.
“An interesting statement on the Padvish blog is that the way nti.exe corrupts the MBR by overwriting the same sectors as the infamous NotPetya”Guerrero-Saade explained.
“While the first instinct might be to assume that the NotPetya operators were involved or that this is an attempt at a false flag operation, it is important to remember that the NotPetya MBR corruption scheme was primarily based on the original Petya used to criminal operations “.
Initially thought to be a ransomware attack, NotPetya was a cleaner that wreaked havoc around the world in 2017 by spreading to exposed networks via the NSA’s ETERNALBLUE exploit and encryption devices.
In 2020, the US indicted six Russian GRU intelligence agents believed to be part of the elite Russian hacking group known as “Sandworm” for the NotPetya attack.
At this time, the motive for the Meteor wiper attacks on Iran’s railway is unclear, and the attacks have not been attributed to any particular group or country.
“We cannot yet distinguish the shape of this adversary through the fog. Perhaps it is an unscrupulous mercenary group. Or the latent effects of external training affecting the nascent operators of a region,” concludes the SentinelOne report.
“Right now, any form of attribution is pure speculation and threatens to oversimplify a raging conflict between various countries with vested interests, means and motives.”