MeteorExpress behind Iranian July’s train ‘wiper’ attack

Back in early July, the Iranian train system came under cyberattack from an unknown source. The attack was able to bring the entire system to a full stop, and hackers openly taunted the Iranian government in what most would consider trolling. The signs in the train stations flashed the phone number for Sayyid Ali Hosseini Khamenei’s office, a way for hackers to tell passengers to complain to the government instead of blaming the actual hacker culprits. After extensive research, the cause of this attack has a name: MeteorExpress.

Researchers at SentinelOne’s SentinelLabs published their findings in a recent article. Initially, there were no prominent signs of compromise, which led SentinelLabs to write off the Iranian government’s claims of an attack since they claim it’s “not uncommon for Iranian authorities to vaguely point the finger towards cyberattacks only to retract the claims.” Rather than let their personal bias against the Iranian government close the investigation, researchers continued to probe. Eventually, they found the cause, which was a brand-new wiper they deemed MeteorExpress. The wiper is comprised of numerous batch files nested in RAR archives. MeteorExpress, in general, has a heavily segmented toolkit from what could be gleaned in its source code.

In analyzing MeteorExpress, SentinelLabs was able to construct a general understanding of how the wiper attack happened. Each batch file in the wiper gets executed consecutively. The ultimate goal is the deployment of a nasty payload described in detail below:

The Meteor wiper is executed as a scheduled task, called mstask and set to run at five minutes to midnight. It’s supplied with a single argument, an encrypted JSON configuration file, msconf.conf (68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7), that holds values for corresponding keys contained in cleartext within the binary… At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these paths, wiping files. It also makes sure to delete shadow copies and removes the machine from the domain to avoid means of quick remediation. The wiper includes a wealth of additional functionality, most of which isn’t used in this particular attack.

The main takeaway from this MeteorExpress attack appears to be that a new, powerful wiper is in the wild. A small fraction of MeteorExpress’s functionality was used in this attack, and it was able to stop an entire transportation system. What could be done when all of its code is employed?

Featured image: Shutterstock

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top