Meteor, a wiper malware, was responsible for the cyber-attack on Iran’s national railway system, rather than ransomware as previously supposed.
Meteor was previously undetected malware, and it has yet to be tied to any advanced persistent threat actors.
On July 9, a cyberattack on Iran’s railroad system occurred, with hackers posting fake messages about train delays or cancellations on display boards at stations across the country.
The attackers tracked the wiper as ‘Meteor,’ according to SentinelOne researchers, and called the campaign MeteorExpress.
The MeteorExpress attack chain starts with attackers misusing Group Policy to spread a cab file, which is then used to launch the attack.
The Meteor wiper, a program called mssetup.exe that was used as a screenlocker to lock users out of their PCs, and the nti.exe file that was used to corrupt the system’s master boot record were all used in the attacks (MBR).
Once the malware had spread throughout the target network, it destroyed shadow volume copies to hinder data recovery and removed the machine from the domain to prevent afflicted devices from being quickly remedied.
The malware erased the files on affected systems and showed a message instructing victim to call a phone number associated with Supreme Leader Ayatollah Ali Khamenei’s office.
According to experts, the malware is a sophisticated threat with various components that might be reused in future attacks with unforeseeable implications.
While some elements of the virus appeared to have been built by skilled developers, it was coded in an unorganized manner, according to the researcher.
There was feature redundancy between different components of the attack chain, implying an uncoordinated allocation of duties across teams that may have rushed to pull the operation together.
You might also like: