SentinelOne security researchers stumbled upon a hitherto unknown data-wiping malware that may have been part of a destructive cyber attack on Iran’s railway system earlier this month. SentinelLabs researchers were able to reconstruct most of the attack chain, including an interesting wiper software that has never been seen before. OPSEC’s mistakes let researchers know that the attacker called this wiper a “Meteor”, which prompted the researchers to name the attack MeteorExpress. At present, it is not possible to link this activity to previously identified threat groups, nor to link it to other attacks. However, preliminary analysis shows that this eraser was developed in the past three years and is designed for reuse. In order to encourage further discovery of this new threat actor, the researchers shared attack indicators and encouraged other security researchers to explore the truth together.
On July 9, an unexplained cyber attack paralyzed the Iranian train system. The attackers laughed at the Iranian government because the hacked Display instructed passengers to direct the complaint to the phone number of the office of Iran’s Supreme Leader Khamenei.
After the mysterious incident that caused the paralysis of Iran’s railway system by a malware attack was exposed, SentinelOne threat trackers rebuilt the attack chain and discovered a destructive wiper component that could be used to delete data from the infected system.
Wipers are considered to be the most destructive of all malware, and have been found the most in attacks in the Middle East. The 2012 Shamoon attack against Saudi Aramco oil company is the most prominent example.
In a research report, Juan Andres Guerrero-Saade (Juan Andres Guerrero-Saade) of the SentinelOne Threat Research Agency stated that this wiper malware that has never been seen before is in the past Developed in three years, it seems to be designed for reuse in multiple operations.
Based on the components found in the malware file, SentinelOne uses the MeteorExpress codename to identify the wiper malware.
Guerrero-Sade said: “(This has) the fingerprint of an unfamiliar attacker.” He pointed out that his team was unable to capture all the files related to the malware wiper component.
“Although we were able to recover an astonishing number of files for the wiper attack, some files still escaped our tracking. The MBR (Master Boot Record) destroyer program’nti.exe’ is the most striking of these missing components. ,” Guerrero explained.
He said that the entire toolkit is a combination of several batch files, with different components removed from the RAR archive. The wiper components are divided according to their functions: Meteor encrypts the file system based on the encryption configuration, nti.exe destroys the MBR, and mssetup.exe locks the system.
Guerrero-Saade also pointed out that there is a “strange degree of fragmentation” in the entire toolkit. He pointed out that batch files generate other batch files, different rar files contain mixed executable files, and even the expected operation is divided into three payloads.
“Meteor will clean up the file system, mssetup.exe will lock the user, and nti.exe may damage the MBR,” he said. The research team provided technical documentation on the internal workings of the malware.
“In its most basic function, MeteorExpress takes a set of paths from the encrypted configuration and searches on these paths to clear files. It also ensures that shadow copies are deleted and the machine is removed from the domain to avoid using quick fixes. Way.” he said.
This wiper can also be used to change all users’ passwords, disable screensavers, terminate processes based on the target process list, install screen locks, disable recovery mode, or create scheduled tasks.
Guerrero-Saade found some clues in the Meteor wiper, pointing out an externally configurable design that can be effectively reused in different operations. “The nature of the external configuration of the eraser determines that it is not designed for this special operation.”
The research team pointed out in the report’s conclusion that conflicts in cyberspace are filled with more and more shameless threat actors. Behind this epic art of spraying lies a disturbing reality: a previously unknown threat actor is willing to use wiper malware to attack the public railway system. The attacker is an intermediate level player, and its different operating components range from clumsy and elementary to flexible and advanced, and oscillate sharply.
On the one hand, there is a new externally configurable eraser, which is full of interesting features, including a mature development process, and redundant means to achieve goals. Even their batch scripts include extensive error checking, a feature that deployment scripts rarely encounter. Their attack is aimed at weakening the victim’s system so that it cannot be easily remedied through domain management or shadow copy recovery.
On the other hand, the researchers saw a deployment pipeline that the adversary had not yet dealt with, and their malware samples contained a lot of debugging features that were not related to this particular operation. There are functional redundancy between different attack components, which indicates that the division of responsibilities between the teams is not coordinated. The files are distributed in an awkward, lengthy, and disorganized manner, which is not commensurate with advanced attackers.
In the thick fog, we still can’t see the outline of this opponent. Maybe this is an unscrupulous mercenary organization. At present, any form of attribution is pure speculation, which may simplify the fierce conflicts of vested interests, means, and motives among multiple countries.
Behind this epic troll/shocking provocation, there are more discoveries to understand the attacker behind it. It should be remembered that the attacker is already familiar with the general settings of the target, the characteristics of the domain controller, and the choice of the target’s backup system (Veeam). This means a reconnaissance phase flying entirely under the radar, and a large number of spy tools that have not yet been discovered.
SentinelOne released indicators of attack (IOCs) and YARA rules to encourage further research on this mysterious threat actor.