Security researchers at SentinelOne have stumbled upon a hitherto unknown data-wiping malware that was part of a disruptive cyberattack against Iran’s train system earlier this month.
Following cryptic reports of a malware attack that paralyzed the Iranian train system on July 9, SentinelOne threat hunters reconstructed the attack chain and discovered a destructive wiper component that could be used to scrub data from infected systems.
Wipers, considered the most destructive of all malware types, have been observed mostly in attacks in the Middle East, with the 2012 Shamoon attacks against Saudi Aramco being the most prominent example.
In a research paper, SentinelOne threat hunter Juan Andres Guerrero-Saade said the never-before-seen wiper was developed in the past three years and appears designed for reuse in multiple campaigns.
Based on artifacts found in the malware files, SentinelOne is using the MeteorExpress codename to identify the wiper.
“[This has] the fingerprints of an unfamiliar attacker,” Guerrero-Saade said, noting that his team was unable to capture all the files associated with the wiper component of the malware.
[ Related: Details Emerge on Iranian Railroad Cyberattack ]
“While we were able to recover a surprising amount of files for a wiper attack, some have eluded us. The MBR corrupter ‘nti.exe’ is most notable among those missing components,” Guerrero-Saade explained.
He said the overall toolkit is a combination of batch files orchestrating different components dropped from RAR archives. “The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted configuration, nti.exe corrupts the MBR, and mssetup.exe locks the system.”
Guerrero-Saade also noted a “strange level of fragmentation” to the overall toolkit. He pointed to batch files spawning other batch files, different rar archives containing intermingled executables, and even the intended action being separated into three payloads.
“Meteor wipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR,” he said, providing technical documentation on the inner workings of the malware.
“At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these paths, wiping files. It also makes sure to delete shadow copies and removes the machine from the domain to avoid means of quick remediation,” he said.
He said the wiper can also be used to change passwords for all users, disable screensavers, terminate processes based on a list of target processes, install screen lockers, disable recovery mode or create scheduled tasks.
Guerrero-Saade found clues in the Meteor wiper that point to an externally configurable design that allows efficient reuse for different operations. “The externally configurable nature of the wiper entails that it wasn’t created for this particular operation.”
The SentinelOne researcher described the attacker as “an intermediate level player” with tooling that can sometimes appear amateurish and clunky to slick alongside well-developed, data-wiping malware.
“We cannot yet make out the shape of this adversary across the fog. Perhaps it’s an unscrupulous mercenary group. Or the latent effects of external training coming to bear on a region’s nascent operators. At this time, any form of attribution is pure speculation and threatens to oversimplify a raging conflict between multiple countries with vested interests, means, and motive,” Guerrero-Saade said.
SentinelOne has published indicators of compromise (IOCs) and YARA rules to encourage additional research into this mysterious threat actor.
Related: US Gov Warning: VPN, Network Perimeter Product Flaws Under Constant Attack
Related: SonicWall Warns of Imminent Ransomware Attacks Targeting Firmware Flaw
Related: “Cyber Disruption” Stops Websites of Iranian Ministry

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities
- Gem Security Gets $11 Million Seed Investment for Cloud Incident Response Platform
- Ransomware Leads to Nantucket Public Schools Shutdown
- Sentra Raises $30 Million for DSPM Technology
- Saviynt Raises $205M; Founder Rejoins as CEO
- OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings
- Tenable Launches $25 Million Early-Stage Venture Fund
- VMware Plugs Critical Code Execution Flaws
Latest News
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
