Earlier this month, Iranian Railways suffered a serious cyberattack. It now turns out that the facility fell prey to a new file wiping malware “Meteor”. This malware typically wipes the target systems rendering them unbootable.
Iranian Railways Cyberattack
Reportedly, the Iranian Railways systems suffered a cyberattack during mid-July that caused service disruptions. The subsequent digital mess eventually caused problems for the passengers.
The attackers took control of the display boards at various stations throughout the country. They also displayed a troll message on the boards, mentioning “delays” due to “cyberattack” whilst redirecting the passengers to a number allegedly belonging to the office of the Supreme Leader Ali Khamenei.
A phone number–64411–was displayed on boards of train stations today in #Iran amid the reported cyberattack on the rail system. It directed commuters there to call for more information. It matched the number to #Iran's Supreme Leader's Office that is displayed on his website. pic.twitter.com/IQQ85I6QhJ
— Iran International English (@IranIntl_En) July 9, 2021
Also, the attack caused the website to shut down temporarily.
Initially, it remained unclear how the incident happened. However, researchers from Sentinel Labs have now revealed that the facility suffered an attack by a seemingly new malware dubbed “Meteor”.
Like ransomware, a wiper malware also takes control of the system’s data. However, unlike the former, it doesn’t aim at recovery. Rather a wiper simply “wipes” the data of the system, rendering it almost impossible for the victim to recover.
About Meteor Malware
According to Sentinel Labs’ report, the newly identified file wiping malware targeted the Iranian Railways’ systems on July 9, 2021. Analyzing the indicators made them recognize an unfamiliar attacker’s fingerprints.
Briefly, the attackers exploited the Group Policy to distribute the malicious cab file. The wiping attack was primarily executed via a set of batch files exhibiting different functionalities. These include wiping the system, locking the device’s Master Boot Record (MBR), clearing event logs, and rendering the machine unbootable.
During the infection, the malware also checks for the presence of Kaspersky antivirus on the target system. If detected, the malware exits; if not, it proceeds to create exclusions for its components in Windows Defender. That’s how it evades all security checks to take control of the device.
After this, the final payload, the “Meteor” arrives which actually wipes the system files at the scheduled time. Describing its functionality, the researchers stated,
At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these paths, wiping files. It also makes sure to delete shadow copies and removes the machine from the domain to avoid means of quick remediation.
That said, it also bears numerous other functionalities which the malware didn’t exhibit during the Iranian railways attack.
For now, the exact threat actor(s) behind this malware remain unidentified.