New destructive Meteor wiper malware used in Iranian railway attack

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/new-destructive-meteor-wiper-malware-used-in-iranian-railway-attack/

A new file wiping malware called Meteor was discovered used in the recent attacks against Iran's railway system.

Earlier this month, Iran's transport ministry and national train system suffered a cyberattack, causing the agency's websites to shut down and disrupting train service. The threat actors also displayed messages on the railway's message boards stating that trains were delayed or canceled due to a cyberattack.

In a new report by SentinelOne, security researcher Juan Andres Guerrero-Saade revealed that the cyberattack on Iran utilized a previously unseen file wiper called Meteor.

A wiper is malware that intentionally deletes files on a computer and causes it to become unbootable. Unlike ransomware attacks, destructive wiper attacks are not used to generate revenue for the attackers. Instead, their goal is to cause chaos for an organization or to distract admins while another attack is taking place.

The attack itself is dubbed 'MeteorExpress,' and utilizes a toolkit of batch files and executables to wipe a system, lock the device's Master Boot Record (MBR), and install a screen locker. [...]

As part of this process, the batch files would go through the following steps:

• Check if Kaspersky antivirus was installed and terminate the attack if found.
• Disconnect the device from the network.
• Add Windows Defender exclusions to prevent the malware from being detected.
• Extract various malware executables and batch files to the system.
• Clear Windows event logs.
• Delete a scheduled task called ‘AnalyzeAll’ under the Windows Power Efficiency Diagnostics directory.
• Use Sysinternals 'Sync' tool to flush the filesystem cache to the disk.
• Launche the Meteor wiper (env.exe or msapp.exe), MBR locker (nti.exe), and screen locker (mssetup.exe) on the computer.

New destructive Meteor wiper malware used in Iranian railway attack

A new file wiping malware called Meteor was discovered used in the recent attacks against Iran's railway system.

www.bleepingcomputer.com

 

[[correlate]]

Indra — Hackers Behind Recent Attacks on Iran​

These days, when we think of nation-state level damage, we immediately think of the nation-state level actor that must be responsible for it. While most attacks against a nation’s sensitive networks are indeed the work of other governments, the truth is that there is no magic shield that prevents a non-state sponsored entity from creating the same kind of havoc, and harming critical infrastructure in order to make a statement.

In this piece, we present an analysis of a successful politically motivated attack on Iranian infrastructure that is suspected to be carried by a non-state sponsored actor. This specific attack happened to be directed at Iran, but it could as easily have happened in New York or Berlin. We’ll look at some of the technical details and expose the actor behind the attack — thereby linking it to several other politically motivated attacks from earlier years.

Indra — Hackers Behind Recent Attacks on Iran - Check Point Research

Check Point Research reveals that a threat actor named Indra is responsible for the attacks against targets in Iran, as well as against companies in Syria.

research.checkpoint.com

 

[wat0114]

Lots of batch files and archives being triggered. Looks like a decent default-deny policy would have stopped this threat dead in its tracks.

 

[upnorth]

the attacker had prior knowledge of the environment.

furthermore, they had access to the railway’s Active Directory server which they used to distribute the malicious files.