An attack earlier this month on Iran’s train system, which disrupted rail service & taunted Iran’s leadership via hacked public transit display screens, used a never-before-seen wiper malware called Meteor that appears to have been designed for reuse, a security researcher has discovered.
Call the Supreme Leader!
The July 9th attack disrupted service & taunted Iran’s leadership with hacked screens directing customers to call the phone of Iranian Supreme Leader Khamenei with complaints!!
That attack disrupted service & directed customers via all of the displays & message boards at the train station to call “64411”– the number for the office of Supreme Leader Ali Khamenei—for more information.
Ministry of Roads
The next day, attackers also hit the website & computer systems of the staff of Iran’s the Ministry of Roads & Urban Development, according to a published report.
Sentinel Labs researchers reconstructed most of the attack chain in the train-system & discovered the novel wiper, which the threat players — who also seem to be a new set of adversaries still finding their attack cycle – refer to as Meteor, Guerrero-Saade wrote.
Guerrero-Saade credited security researcher Anton Cherepanov with identifying an early analysis of the event written in Farsi by an Iranian antivirus company as helping researchers recreate the attack.
What they discovered is that “behind this outlandish tale of stopped trains & glib trolls” are “the fingerprints of an unfamiliar attacker,” using a wiper that “was developed in the past 3 years & was designed for reuse,” Guerrero-Saade wrote.
Reconstructing the Attack
Overall, the toolkit that orchestrated the attack was comprised of a combination of batch files that implemented different components dropped from RAR archives, according to Sentinel Labs. Attackers used the batch files, nested alongside their respective components, in a chain to successfully execute the attack.
“The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted configuration, nti.exe corrupts the MBR, & mssetup.exe locks the system,” Guerrero-Saade wrote.
Missing Notable Component
Researchers recovered “a surprising amount of files” for a wiper attack but did not manage to reconstruct them all. One missing notable component was the MBR corrupter, nti.exe; its absence is significant because files overwritten by this component are the same as those overwritten by the notorious NotPetya ransomware, which crippled organisations around the world in 2017, Guerrero-Saade noted.
Despite the attack’s success, however, researchers found “a strange level of fragmentation to the overall toolkit,” he stated.
“Batch files spawn other batch files, different RAR archives contain intermingled executables, & even the intended action is separated into 3 payloads: Meteor wipes the filesystem, mssetup.exe locks the user out, & nti.exe presumably corrupts the MBR,” Guerrero-Saade wrote.
Researchers identified & elaborated 3 of those 3 payloads in the report.
One is the main payload, the Meteor wiper, which comes in the form of an executable dropped under env.exe or msapp.exe, & is executed as a scheduled task with a single argument–an encrypted JSON configuration file, msconf.conf, that holds values for corresponding keys contained in cleartext within the binary, according to the report.
“At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config & walks these paths, wiping files,” Guerrero-Saade wrote.
“It also makes sure to delete shadow copies & removes the machine from the domain to avoid means of quick remediation.”
The wiper also includes much more functionality that was not used in the Iranian train attack, he noted. It can: change passwords for all users; disable screensavers; terminate processes based on a list of target processes; install a screen-locker; disable recovery mode; changes boot policy error handling; create scheduled tasks; & log off local sessions, among other actions.
The fact that it has such broad capabilities seems to suggest that Meteor is not merely a one-off, but that its creators intend for it to be used in other attacks, Guerrero-Saade noted.
Meteor Express attackers also dropped a standalone screen-locker, mssetup.exe,that blocks user input before creating a window that fills the entire screen before disabling the cursor & locking the user out entirely, according to the report.
Despite its success in the Meteor Express attack, the threat group seems still to be honing their skills & finding their way, as evidenced by the “contradictory” practices of Meteor’s code & capabilities, researchers observed.
“First, the code is rife with sanity checks, error checking, & redundancy in accomplishing its goals,” Guerrero-Saade wrote. “However, the operators clearly made a major mistake in compiling a binary with a wealth of debug strings meant for internal testing.”
The heart of Meteor also include a “bizarre amalgam of custom code” that uses open-source components & “practically ancient” software–FSProLabs’ Lock My PC 4, pointing to the general experimental nature of the attackers’ approach, he commented.
However, “while that might suggest that the Meteor wiper was built to be disposable, or meant for a single operation,” this code is “juxtaposed with an externally configurable design that allows efficient reuse for different operations,” Guerrero-Saade wrote.
The components of Meteor Express that researchers examined point to a new, intermediate-level player in the attack landscape “whose different operational components sharply oscillate from clunky & rudimentary to slick & well-developed,” he concluded.