Meteor Wiper Malware Description
Meteor Wiper, as its name suggests, is a wiper malware designed to cause irreversible damage to infected computers. Such threats are deployed when the threat actor is not after any monetary gains. Instead, the goal is to either cause as much disruption to the operations of the specific target or use the wiper attack as a distraction to hide the true goal of the hackers. Meteor wiper is a previously unknown malware that was deployed as part of the cyberattack against Iran's railway system.
The Discovery of Meteor Wiper
Initial analysis of the attack did not pick up traces of the wiper threat. The threat actor behind the hack has so far not been determined. Still, the cybercriminals managed to breach Iran's transport ministry successfully and disrupt the train system of the country. The attackers shut down the official website of the agency and announced their accomplishment by displaying a message about the cyberattack on the railway's message boards. Several of the displayed messages also urged passengers who wish to obtain more information about the incident to call a phone number, which was determined to belong to Iran's Supreme Leader Ali Khamenei. In the background, the hack also resulted in multiple Windows devices being locked behind a lock screen that barred access to the systems.
The first to discover that additional threats such as Meteor Wiper also were deployed was the Iranian cybersecurity firm Aman Pardaz. A report by SentinelOne and the researcher Juan Andres Guerrero-Saade revealed deeper information about the threat and several new components that were uncovered.
The Attack Chain
Before deploying the Meteor Wiper, the threat actor used several executables and batch files that were delivered to each compromised device and tasked with preparing the local environment for the final payloads. First, the system was scanned for specific anti-malware products that, if detected, were terminated subsequently. Then, the targeted device is disconnected from the network. To facilitate the smooth operation of malware threats, exclusions are added to Windows Defender. During the next step, several malware payloads are extracted. After performing several additional tasks, such as clearing Windows event logs and flushing the filesystem cache to the disk, the final payloads are launched. These include the Meteor wiper delivered as a file named 'env.exe' or 'msapp.exe,' an MBR (Master Boot Record) locker and a screen locker.