Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Researchers Link Mysterious ‘MeteorExpress’ Wiper to Iranian Train Cyberattack

Security researchers at SentinelOne have stumbled upon a hitherto unknown data-wiping malware that was part of a disruptive cyberattack against Iran’s train system earlier this month.

Security researchers at SentinelOne have stumbled upon a hitherto unknown data-wiping malware that was part of a disruptive cyberattack against Iran’s train system earlier this month.

Following cryptic reports of a malware attack that paralyzed the Iranian train system on July 9, SentinelOne threat hunters reconstructed the attack chain and discovered a destructive wiper component that could be used to scrub data from infected systems.

Wipers, considered the most destructive of all malware types, have been observed mostly in attacks in the Middle East, with the 2012 Shamoon attacks against Saudi Aramco being the most prominent example.

In a research paper, SentinelOne threat hunter Juan Andres Guerrero-Saade said the never-before-seen wiper was developed in the past three years and appears designed for reuse in multiple campaigns.

Based on artifacts found in the malware files, SentinelOne is using the MeteorExpress codename to identify the wiper.

“[This has] the fingerprints of an unfamiliar attacker,” Guerrero-Saade said, noting that his team was unable to capture all the files associated with the wiper component of the malware.

[ Related: Details Emerge on Iranian Railroad Cyberattack ]

“While we were able to recover a surprising amount of files for a wiper attack, some have eluded us. The MBR corrupter ‘nti.exe’ is most notable among those missing components,” Guerrero-Saade explained.

Advertisement. Scroll to continue reading.

He said the overall toolkit is a combination of batch files orchestrating different components dropped from RAR archives. “The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted configuration, nti.exe corrupts the MBR, and mssetup.exe locks the system.” 

Guerrero-Saade also noted a “strange level of fragmentation” to the overall toolkit.  He pointed to batch files spawning other batch files, different rar archives containing intermingled executables, and even the intended action being separated into three payloads.

“Meteor wipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR,” he said, providing technical documentation on the inner workings of the malware. 

“At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these paths, wiping files. It also makes sure to delete shadow copies and removes the machine from the domain to avoid means of quick remediation,” he said.

He said the wiper can also be used to change passwords for all users, disable screensavers, terminate processes based on a list of target processes, install screen lockers, disable recovery mode or create scheduled tasks.   

Guerrero-Saade found clues in the Meteor wiper that point to an externally configurable design that allows efficient reuse for different operations. “The externally configurable nature of the wiper entails that it wasn’t created for this particular operation.”

The SentinelOne researcher described the attacker as “an intermediate level player” with tooling that can sometimes appear amateurish and clunky to slick alongside well-developed, data-wiping malware.

“We cannot yet make out the shape of this adversary across the fog. Perhaps it’s an unscrupulous mercenary group. Or the latent effects of external training coming to bear on a region’s nascent operators. At this time, any form of attribution is pure speculation and threatens to oversimplify a raging conflict between multiple countries with vested interests, means, and motive,” Guerrero-Saade said.

SentinelOne has published indicators of compromise (IOCs) and YARA rules to encourage additional research into this mysterious threat actor.

Related: US Gov Warning: VPN, Network Perimeter Product Flaws Under Constant Attack

Related: SonicWall Warns of Imminent Ransomware Attacks Targeting Firmware Flaw

Related: “Cyber Disruption” Stops Websites of Iranian Ministry

Related: Shamoon 3 Attacks Targeted Several Sectors

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...