Further investigation in the wiper attack on the Iranian Train system on 9th July by security researchers at SentinelLabs has revealed a never seen before wiper.

In a report published Thursday, the firm confirmed that its researchers could reconstruct the attack chain, which included the new wiper. Thanks to OPSEC mistakes, the name of the wiper — Meteor, was revealed. The campaign is subsequently being called MeteorExpress. 

As of right now, the attacks haven’t been tied back to a previously known threat actor, group or even any previous attacks. Artefacts suggest that the wiper was developed in the last three years and has been designed for reuse. 

---

A new menace in the market?

On 9th July, the entire Iranian train system was hit by a wiper attack which disrupted services. The attack also included some heavy trolling as screens on railway stations prompted commuters to call 64411 == the number for the office of Supreme Leader Ali Khamenei.

A phone number–64411–was displayed on boards of train stations today in #Iran amid the reported cyberattack on the rail system. It directed commuters there to call for more information. It matched the number to #Iran's Supreme Leader's Office that is displayed on his website. pic.twitter.com/IQQ85I6QhJ

— Iran International English (@IranIntl_En) July 9, 2021

On 18 July, security researcher Anton Cherepanov pointed out an early analysis of the attack by Padvish, an Iranian antivirus company. SentinalLabs were able to recover most of the attack components described in the post, along with a few additional components they had missed.

Using the early analysis from Padvish and a recovered attacker artefact that included a list of component names, it was discovered that the attackers abused Group Policy to distribute a cab file to initiate the attack. However, most of the attack was orchestrated by a set of batch files nested alongside their respective components and linked together for successive execution. 

Each batch file serves a purpose in the attack chain, such as rendering the machine unusable or clearing event logs and then calls another batch file to execute the next step. 

The attackers also used native commands such as wevtutil to clear security systems and application event logs. The attack also abuses a tool called Sync to flush the filesystem cache to the disk manually. 

The intended action here is separated into three different payloads, in addition to a bunch of batch files (which spawn other batch files) and different RAR archives with multiple .exe files. All this adds a strange level of fragmentation to the overall attack toolkit. 

At its simplest, this wiper can well wipe files. It also deletes shadow copies and removes the machine from the connected domain to avoid remediation. However, many other features haven’t been used in this particular attack. These additional features include

• Changing passwords for all users
• Disabling screensavers
• Process termination based on a list of target processes
• Installing a screen locker
• Disabling recovery mode
• Changing boot policy error handling
• Creating scheduled tasks
• Logging off local sessions
• Changing lock screen images for different Windows versions (XP, 7, 10)
• Creating processes and executing commands

In the News: OpenAI introduces Triton: an Nvidia CUDA alternative