The cyberattack that frazzled the website of Iran’s Ministry of Transport and its national rail system earlier this month. It causes mass disruption to rail traffic, has the result of a reusable removal malware called “Meteor”.
The campaign, called “MeteorExpress”, has not associated with any previously identified threat groups or additional attacks. According to researchers from Iranian antivirus companies Amn Pardaz and SentinelOne, this is the first incident where this malware was used. Meteor is said to have been operating for the past three years.
“While there was no specific compromise. We were able to recover most of the components of the attack,” said Juan Andres Guerrero-Saade SentinelOne’s chief threat researcher”. Behind this uncommon story of stopped trains and trams, we have a tendency to tend to found the fingerprints of Associate in Nursing unknown aggressor”.
On July 9, Iran’s transport system has crippled by a major cyberattack in which hackers changed electronic displays. The displays which instruct passengers to file complaints with the office of Iran’s Supreme Leader Ayatollah Ali Khamenei. The incident has said to have caused “unprecedented chaos” at the train station with hundreds of trains delayed or cancelled.
According to SentinelOne, the chain of infection is now starting to abuse Group Policy to implement a set of tools. It is consisting of a batch file combination that manages various components extracted from multiple RAR archives. And also linked together to file encryption to facilitate master boot record (MBR) and associated system lockouts.
Another batch script file deleted during the attack has found to be responsible for disconnecting infected devices from the network and creating Windows Defender exceptions for all components. A tactic that is becoming increasingly common among computer threat malware solutions.
Wiper: A weird mixture of custom code
Meteor, on the other hand, is an externally configurable eraser with a variety of features. It includes the ability to delete shadow copies. As well as “various additional features” such as changing user passwords, shutting down random processes and executing malicious commands.
Wiper has represented as a “weird mixture of custom code” combining open supply parts with bequest software package. It has “filled with logic, error checking, and redundancy in achieving its goals,” suggesting a fragmented approach and lack of coordination.
“Conflict in computer network is full of actors World Health Organization square measure continuously daring and threatening. Behind this epic troll art lies an uncomfortable reality where previously unknown threats have poised to wipe out common rail systems with malware,” said Guerrero-Sa.
“We have to keep in mind that attackers are familiar with their general target settings, domain controller properties, and target selection for backup systems (Veeam). This represents a phase of intelligence that is completely under radar espionage tools that we have yet to discover.”
Read Also: Trickbot Malware is back with a new VNC module to spy on its victims
