SentinelLabs researchers have discovered a campaign that used a wiper to immobilize the railway system of Iran. The campaign is named MeteorExpress and uses a never seen before Meteor wiper. The attacker behind this recent campaign attempted to troll the Iranian government as well.
What happened?
According to researchers, on July 9, a wiper targeted the Iranian train system and displayed a message that asked passengers to call a phone number of the Iranian Supreme Leader’s office to complain.
Early analysis, along with reconstructed and recovered attacker artifacts, revealed that the attacker compromised Group Policy to spread a cab file for the attack.
The toolkit included a combination of batch files with different components dropped from RAR archives. The archives included an attacker-supplied copy of Rar[.]exe with a password (hackemail).
The wiper components are divided by their functionality: Meteor encrypts the filesystem by using the encrypted configuration, nti[.]exe targets the MBR, and mssetup[.]exe is used to lock the screen or the system.
The nti[.]exe file is somewhat unique among all of the components because the sectors overwritten by this wiper component are found to be the same as overwritten by NotPetya.
Additional insights
Besides the use of a complex web of batch files, researchers revealed several additional details about this attack.
The main payload delivered in the attack chain is an exe dropped under env[.]exe or msapp[.]exe. Due to an OPSEC mistake, it was discovered that the wiper was internally referred to as Meteor.
The wiper component had several additional features that were not used during the attacks. This includes the ability to change user passwords, terminate specific system processes, creating scheduled tasks, and more.
Conclusion
The recent attacks on the Iranian railway system demonstrate the capability of the attackers behind the MeteorExpress campaign. Moreover, the attackers are believed to have had a thorough knowledge of their targets, making them a serious threat.