Researchers Link Mysterious ‘MeteorExpress’ Wiper to Iranian Train Cyberattack

Security researchers at SentinelOne have stumbled upon a hitherto unknown data-wiping malware that was part of a disruptive cyberattack against Iran’s train system earlier this month.

Following cryptic reports of a malware attack that paralyzed the Iranian train system on July 9, SentinelOne threat hunters reconstructed the attack chain and discovered a destructive wiper component that could be used to scrub data from infected systems.

Wipers, considered the most destructive of all malware types, have been observed mostly in attacks in the Middle East, with the 2012 Shamoon attacks against Saudi Aramco being the most prominent example.

In a research paper, SentinelOne threat hunter Juan Andres Guerrero-Saade said the never-before-seen wiper was developed in the past three years and appears designed for reuse in multiple campaigns.

Based on artifacts found in the malware files, SentinelOne is using the MeteorExpress codename to identify the wiper.

“[This has] the fingerprints of an unfamiliar attacker,” Guerrero-Saade said, noting that his team was unable to capture all the files associated with the wiper component of the malware.

[ Related: Details Emerge on Iranian Railroad Cyberattack ]

“While we were able to recover a surprising amount of files for a wiper attack, some have eluded us. The MBR corrupter ‘nti.exe’ is most notable among those missing components,” Guerrero-Saade explained.

He said the overall toolkit is a combination of batch files orchestrating different components dropped from RAR archives. “The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted configuration, nti.exe corrupts the MBR, and mssetup.exe locks the system.” 

Guerrero-Saade also noted a “strange level of fragmentation” to the overall toolkit.  He pointed to batch files spawning other batch files, different rar archives containing intermingled executables, and even the intended action being separated into three payloads.

“Meteor wipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR,” he said, providing technical documentation on the inner workings of the malware. 

“At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these paths, wiping files. It also makes sure to delete shadow copies and removes the machine from the domain to avoid means of quick remediation,” he said.

He said the wiper can also be used to change passwords for all users, disable screensavers, terminate processes based on a list of target processes, install screen lockers, disable recovery mode or create scheduled tasks.   

Guerrero-Saade found clues in the Meteor wiper that point to an externally configurable design that allows efficient reuse for different operations. “The externally configurable nature of the wiper entails that it wasn’t created for this particular operation.”

The SentinelOne researcher described the attacker as “an intermediate level player” with tooling that can sometimes appear amateurish and clunky to slick alongside well-developed, data-wiping malware.

“We cannot yet make out the shape of this adversary across the fog. Perhaps it’s an unscrupulous mercenary group. Or the latent effects of external training coming to bear on a region’s nascent operators. At this time, any form of attribution is pure speculation and threatens to oversimplify a raging conflict between multiple countries with vested interests, means, and motive,” Guerrero-Saade said.

SentinelOne has published indicators of compromise (IOCs) and YARA rules to encourage additional research into this mysterious threat actor.

Related: US Gov Warning: VPN, Network Perimeter Product Flaws Under Constant Attack

Related: SonicWall Warns of Imminent Ransomware Attacks Targeting Firmware Flaw

Related: “Cyber Disruption” Stops Websites of Iranian Ministry

Related: Shamoon 3 Attacks Targeted Several Sectors