According to research from Amnpardaz and SentinelOne, the recent attack against Iran’s national railway system was caused by a wiper malware dubbed Meteor and not by ransomware as initially thought. Meteor was a previously undetected strain of malware, but experts were not able to link it to specific advanced persistent threat actors.
Iran’s railroad system was hit by a cyberattack on July 9, threat actors published fake messages about delays or cancellations of the trains on display boards at stations across the country, the Fars news agency reported.
The messages on the boards informed passengers that the trains were “long delayed because of cyberattack” or “canceled.” The messages also urged passengers to call for information and provided the phone number of the office of the country’s supreme leader, Ayatollah Ali Khamenei.
OPSEC mistakes (the malware code includes verbose debug strings presumably intended for internal testing) allowed SentinelOne researchers to know that the attackers tracked the wiper as ‘Meteor’, for this reason, they named the campaign MeteorExpress.
MeteorExpress attack chain begins with attackers abusing Group Policy to distribute a cab file to launch the attack.
The attacks involved the Meteor wiper, a file named mssetup.exe that was used as a screenlocker that locked the user out of their systems, and the nti.exe file used to corrupt the system’s master boot record (MBR).
Once the malware was distributed within the target network, it deleted shadow volume copies to prevent data recovery and removes the machine from the domain to avoid means of quick remediation of infected systems.
The malware wiped filesystem of the infected systems and displayed a message to instruct the victims to call a phone number that belonged to the office of Supreme Leader Ayatollah Ali Khamenei.
Experts believe that the malware is a sophisticated threat that includes multiple components that could be reused in future attacks with unpredictable conseguences.
“the code is a bizarre amalgam of custom code that wraps open-source components (cpp-httplib v0.2) and practically ancient abused software (FSProLabs’ Lock My PC 4). While that might suggest that the Meteor wiper was built to be disposable, or meant for a single operation, that’s juxtaposed with an externally configurable design that allows efficient reuse for different operations. Many of the available keys are not instantiated in this operation, like the ability to kill specific processes. ” reads the analysis published by SentinelOne.”Additionally, that external configuration is encrypted, presumably to limit analysis, but all of the configurable keys are hardcoded in plaintext within the main binary.”
However, the researcher noticed pointed out that while some parts of the malware appeared to have been written by experienced developers, it was coded in a disorganized manner. The experts noticed the presence of a feature redundancy between different components of the attack chain that suggests an uncoordinated division of responsibilities across teams that might have arranged the operation in a hurry.
“The attacker is an intermediate level player whose different operational components sharply oscillate from clunky and rudimentary to slick and well-developed.” concludes the experts. “We see an adversary that doesn’t yet have a handle on their deployment pipeline, using a sample of their malware that contains extensive debug features and burning functionality irrelevant to this particular operation. There’s feature redundancy between different attack components that suggests an uncoordinated division of responsibilities across teams. And files are dispensed in a clunky, verbose, and disorganized manner unbecoming of advanced attackers.”
(SecurityAffairs – hacking, Meteor)