Connect with us

Hi, what are you looking for?



Researchers Link Mysterious ‘MeteorExpress’ Wiper to Iranian Train Cyberattack

Security researchers at SentinelOne have stumbled upon a hitherto unknown data-wiping malware that was part of a disruptive cyberattack against Iran’s train system earlier this month.

Security researchers at SentinelOne have stumbled upon a hitherto unknown data-wiping malware that was part of a disruptive cyberattack against Iran’s train system earlier this month.

Following cryptic reports of a malware attack that paralyzed the Iranian train system on July 9, SentinelOne threat hunters reconstructed the attack chain and discovered a destructive wiper component that could be used to scrub data from infected systems.

Wipers, considered the most destructive of all malware types, have been observed mostly in attacks in the Middle East, with the 2012 Shamoon attacks against Saudi Aramco being the most prominent example.

In a research paper, SentinelOne threat hunter Juan Andres Guerrero-Saade said the never-before-seen wiper was developed in the past three years and appears designed for reuse in multiple campaigns.

Based on artifacts found in the malware files, SentinelOne is using the MeteorExpress codename to identify the wiper.

“[This has] the fingerprints of an unfamiliar attacker,” Guerrero-Saade said, noting that his team was unable to capture all the files associated with the wiper component of the malware.

[ Related: Details Emerge on Iranian Railroad Cyberattack ]

“While we were able to recover a surprising amount of files for a wiper attack, some have eluded us. The MBR corrupter ‘nti.exe’ is most notable among those missing components,” Guerrero-Saade explained.

Advertisement. Scroll to continue reading.

He said the overall toolkit is a combination of batch files orchestrating different components dropped from RAR archives. “The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted configuration, nti.exe corrupts the MBR, and mssetup.exe locks the system.” 

Guerrero-Saade also noted a “strange level of fragmentation” to the overall toolkit.  He pointed to batch files spawning other batch files, different rar archives containing intermingled executables, and even the intended action being separated into three payloads.

“Meteor wipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR,” he said, providing technical documentation on the inner workings of the malware. 

“At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these paths, wiping files. It also makes sure to delete shadow copies and removes the machine from the domain to avoid means of quick remediation,” he said.

He said the wiper can also be used to change passwords for all users, disable screensavers, terminate processes based on a list of target processes, install screen lockers, disable recovery mode or create scheduled tasks.   

Guerrero-Saade found clues in the Meteor wiper that point to an externally configurable design that allows efficient reuse for different operations. “The externally configurable nature of the wiper entails that it wasn’t created for this particular operation.”

The SentinelOne researcher described the attacker as “an intermediate level player” with tooling that can sometimes appear amateurish and clunky to slick alongside well-developed, data-wiping malware.

“We cannot yet make out the shape of this adversary across the fog. Perhaps it’s an unscrupulous mercenary group. Or the latent effects of external training coming to bear on a region’s nascent operators. At this time, any form of attribution is pure speculation and threatens to oversimplify a raging conflict between multiple countries with vested interests, means, and motive,” Guerrero-Saade said.

SentinelOne has published indicators of compromise (IOCs) and YARA rules to encourage additional research into this mysterious threat actor.

Related: US Gov Warning: VPN, Network Perimeter Product Flaws Under Constant Attack

Related: SonicWall Warns of Imminent Ransomware Attacks Targeting Firmware Flaw

Related: “Cyber Disruption” Stops Websites of Iranian Ministry

Related: Shamoon 3 Attacks Targeted Several Sectors

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.