In early July, the Iranian rail system was the subject of a cyberattack from an unknown source. The attack was able to bring the entire system to a complete halt, and the hackers openly taunted the Iranian government in what most would consider trolling. Signs at stations displayed the phone number for Sayyid Ali Hosseini Khamenei’s office, a way for hackers to tell passengers to complain to the government instead of blaming the real hackers. After extensive research, the cause of this attack has a name: MeteorExpress.
SentinelOne SentinelLabs researchers published their findings in a recent item. Initially, there were no obvious signs of compromise, which led SentinelLabs to quash the Iranian government’s attack allegations, as they claim that it is “not uncommon for Iranian authorities to vaguely point fingers at cyber attacks only to remove claims ”. Rather than allowing their personal bias against the Iranian government to shut down the investigation, the researchers continued to investigate. Eventually they found the cause, which was a brand new wiper they judged MeteorExpress. The wiper is made up of many batch files nested in RAR archives. MeteorExpress, in general, has a heavily segmented toolkit from what could be gleaned from its source code.
By analyzing MeteorExpress, SentinelLabs was able to build a general understanding of how the wiper attack happened. Each batch file in the wiper is executed consecutively. The ultimate goal is the deployment of an unpleasant payload described in detail below:
The Meteor wiper is executed as a scheduled task, called
mstaskand set to operate at five minutes at midnight. It comes with a single argument, an encrypted JSON configuration file,
msconf.conf(68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7). It also makes sure to remove shadow copies and removes the machine from the domain to avoid the means of quick fix. The wiper includes a host of additional features, most of which are not used in this particular attack.
The main takeaway from this MeteorExpress attack seems to be that a powerful new wiper is in the wild. A small fraction of MeteorExpress’s functionality was used in this attack, and it was able to shut down an entire transport system. What could be done when all of its code is in use?
Featured Image: Shutterstock