30 July 2021

New destructive wiper malware linked to recent Iranian railway attack


New destructive wiper malware linked to recent Iranian railway attack

It appears that the destructive cyberattack against Iranian train system that took place earlier this month was caused by a previously undocumented wiper malware.

Following the reports about the incident, security researchers with SentinelOne conducted their own investigation and discovered a destructive wiper component, which they dubbed ‘Meteor’, capable of deleting data on the infected systems.

According to SentinelOne threat hunter Juan Andres Guerrero-Saade, this is the first known case where this wiper was deployed. He said that it was developed in the past three years and appears designed for reuse in multiple campaigns.

The attack, named ‘MeteorExpress’, involved a toolkit of batch files and executables to wipe a system, lock the device's Master Boot Record (MBR), and install a screen locker. The Meteor wiper was just a part of the toolkit used in the attack, along with two other components – a file named mssetup.exe used to lock the user out of their PC, and nti.exe used for corrupting the victim computer’s master boot record (MBR).

In addition to wiping files, Meteor deletes shadow copies and removes the machine from the domain to avoid means of quick remediation. It also comes with additional functionality, such as the ability to change passwords for all users, disable screen servers, terminate processes, creating processes and execute commands, etc., although in the observed attack most of functionality was not used, the researchers said.

“We cannot yet make out the shape of this adversary across the fog. Perhaps it’s an unscrupulous mercenary group. Or the latent effects of external training coming to bear on a region’s nascent operators. At this time, any form of attribution is pure speculation and threatens to oversimplify a raging conflict between multiple countries with vested interests, means, and motive,” Guerrero-Saade noted.


Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021