Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Researchers Link Mysterious ‘MeteorExpress’ Wiper to Iranian Train Cyberattack

Security researchers at SentinelOne have stumbled upon a hitherto unknown data-wiping malware that was part of a disruptive cyberattack against Iran’s train system earlier this month.

Security researchers at SentinelOne have stumbled upon a hitherto unknown data-wiping malware that was part of a disruptive cyberattack against Iran’s train system earlier this month.

Following cryptic reports of a malware attack that paralyzed the Iranian train system on July 9, SentinelOne threat hunters reconstructed the attack chain and discovered a destructive wiper component that could be used to scrub data from infected systems.

Wipers, considered the most destructive of all malware types, have been observed mostly in attacks in the Middle East, with the 2012 Shamoon attacks against Saudi Aramco being the most prominent example.

In a research paper, SentinelOne threat hunter Juan Andres Guerrero-Saade said the never-before-seen wiper was developed in the past three years and appears designed for reuse in multiple campaigns.

Based on artifacts found in the malware files, SentinelOne is using the MeteorExpress codename to identify the wiper.

“[This has] the fingerprints of an unfamiliar attacker,” Guerrero-Saade said, noting that his team was unable to capture all the files associated with the wiper component of the malware.

[ Related: Details Emerge on Iranian Railroad Cyberattack ]

“While we were able to recover a surprising amount of files for a wiper attack, some have eluded us. The MBR corrupter ‘nti.exe’ is most notable among those missing components,” Guerrero-Saade explained.

He said the overall toolkit is a combination of batch files orchestrating different components dropped from RAR archives. “The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted configuration, nti.exe corrupts the MBR, and mssetup.exe locks the system.” 

Guerrero-Saade also noted a “strange level of fragmentation” to the overall toolkit.  He pointed to batch files spawning other batch files, different rar archives containing intermingled executables, and even the intended action being separated into three payloads.

“Meteor wipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR,” he said, providing technical documentation on the inner workings of the malware. 

“At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these paths, wiping files. It also makes sure to delete shadow copies and removes the machine from the domain to avoid means of quick remediation,” he said.

He said the wiper can also be used to change passwords for all users, disable screensavers, terminate processes based on a list of target processes, install screen lockers, disable recovery mode or create scheduled tasks.   

Guerrero-Saade found clues in the Meteor wiper that point to an externally configurable design that allows efficient reuse for different operations. “The externally configurable nature of the wiper entails that it wasn’t created for this particular operation.”

The SentinelOne researcher described the attacker as “an intermediate level player” with tooling that can sometimes appear amateurish and clunky to slick alongside well-developed, data-wiping malware.

“We cannot yet make out the shape of this adversary across the fog. Perhaps it’s an unscrupulous mercenary group. Or the latent effects of external training coming to bear on a region’s nascent operators. At this time, any form of attribution is pure speculation and threatens to oversimplify a raging conflict between multiple countries with vested interests, means, and motive,” Guerrero-Saade said.

SentinelOne has published indicators of compromise (IOCs) and YARA rules to encourage additional research into this mysterious threat actor.

Related: US Gov Warning: VPN, Network Perimeter Product Flaws Under Constant Attack

Related: SonicWall Warns of Imminent Ransomware Attacks Targeting Firmware Flaw

Related: “Cyber Disruption” Stops Websites of Iranian Ministry

Related: Shamoon 3 Attacks Targeted Several Sectors

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

ICS/OT

A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.

ICS/OT

Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.

ICS/OT

Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot...