Iran’s transport ministry and national train system suffered a CyberAttack, causing the agency’s websites to shut down and disrupting train service. The threat actors also displayed messages on the railway’s message boards stating that trains were delayed or cancelled due to a CyberAttack. Also locked the devices preventing From logging in. A new wiping malware Meteor came to limelight emerged as a threat Vector.

Hackers posting messages to the railway's message boards

A wiper is malware that intentionally deletes files on a computer and causes it to become unbootable.The attack dubbed ‘MeteorExpress,’ and utilizes a toolkit of batch files and executables to wipe a system, lock the device’s Master Boot Record (MBR), and install a screen locker.

MeteorExpress attack chain

To start the attack, threat actors extracted a RAR archive protected with the ‘hackemall’ password. The attackers then added these files to a network share accessible to the rest of the computers on the Iranian railway’s network.

The threat actor then configured Windows group policies to launch a setup.bat batch file that would then copy various executables and batch files to the local device and execute them.

Setup.bat batch file

As part of this process, the batch files would go through the following steps:

  • Check if Kaspersky antivirus was installed and terminate the attack if found.
  • Disconnect the device from the network.
  • Add Windows Defender exclusions to prevent the malware from being detected.
  • Extract various malware executables and batch files to the system.
  • Clear Windows event logs.
  • Delete a scheduled task called ‘AnalyzeAll’ under the Windows Power Efficiency Diagnostics directory.
  • Use Sysinternals ‘Sync’ tool to flush the filesystem cache to the disk.
  • Launche the Meteor wiper (env.exe or msapp.exe), MBR locker (nti.exe), and screen locker (mssetup.exe) on the computer.

When completed, the device will be unbootable, its file deleted, and a screen locker installed that displays the following wallpaper background before the computer is rebooted for the first time.

Researches unable to find the ‘nti.exe’ MBR locker, the researchers from Aman Pardaz claim that it shares overlap with the notorious NotPetya wiper.

While one’s first instinct might be to assume that the NotPetya operators were involved or that this is an attempt at a false flag operation, it’s important to remember that NotPetya’s MBR corrupting scheme was mostly cribbed from the original Petya used for criminal operations.

The motive for the Meteor wiper attacks on Iran’s railway is not clear, and the attacks have not been attributed to any particular group or country.