Last month we had seen how the Iran’s railway system came under attack and how it has impacted the passenger in mid of chaos. Researchers from Sentinelone has investigated this cyber attack and reconstructed this attack chain as one of the never before seen wiper program.
Researcher believe that the attackers name this wiper based malware as “Meteor” based on the evidences / mistakes found during their initial investigation which also made Sentinelone team to name this campaign as “MeteorExpress”.
SentinelOne team has also acknowledged the security researchers named “Anton Cherepanov” pointed out the initial analysis released by the Iranian AV company.
“The attackers abused Group Policy to distribute a cab file to conduct their attack.” says the SentinelOne expert. “The overall toolkit consists of a combination of batch files orchestrating different components dropped from RAR archives. The archives decompressed with an attacker supplied copy of Rar.exe coupled with the password ‘hackemall’. The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted configuration,
nti.exe corrupts the MBR, and
mssetup.exe locks the system.”
Sentinelone experts also identified the below set of capabilities which were not used apart from activities like Removing encrypted files, deleting shadow copies and removing the infected machine from domain to make it hard for the remediation.
- Changing passwords for all users
- Disabling screensavers
- Process termination based on a list of target processes
- Installing a screen locker
- Disabling recovery mode
- Changing boot policy error handling
- Creating scheduled tasks
- Logging off local sessions
- Changing lock screen images for different Windows versions (XP, 7, 10)
- Creating processes and executing commands
While the malware is packed with the interesting capabilities along with redundant features to achieve the objectives ,it also has extensive debugging features unnecessary functionality which are irrelevant to this operation. “files are dispensed in a clunky, verbose, and disorganized manner unbecoming of advanced attackers.” concludes the report.
CyberWorkx news readers can access the IOC’s of this malware variant here.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1