New Wiper Malware Responsible for Attack on Iranian Railways

On July 9, 2021, the railway service used by Iranians for their daily transport needs suffered a cyber attack. New research published by Sentinel One reveals that the chaos caused during the attack was a result of a previously undiscovered form of wiper malware, called Meteor.

The attack resulted in both the Transport Ministry’s online services offered been shut down and to the frustration of passenger’s cancellations and delays of scheduled trains. Further, the electronic tracking system used to determine the locations of trains in service also failed. The government's response to the attack was at odds with what the Iranian media was saying.

The Guardian reported,

“The Fars news agency reported ‘unprecedented chaos’ at stations with hundreds of trains delayed or canceled. In the now-deleted report, it said the incident followed ‘a widespread disruption in … computer systems that is probably due to a cyber-attack.’ Sadegh Sekri, a spokesman for the Islamic Republic of Iran Railways, told ISNA news agency on Saturday that ‘there has been no disruption or cyber-attack for passenger, cargo or intercity trains’. But the Fars report had included a picture of a station’s departures and arrivals board showing rows of canceled trips with a message reading ‘long delays due to cyber-attacks.'"

Later images on shared online showed that the attackers went so far as to taunt the Iranian government as hacked displays instructed passengers to direct their complaints to the phone number of the Iranian Supreme Leader Khamenei’s office.

iranian railways attacked by wiper malware

Iran has long been active in both being targeted by cyber attackers and attacking other nations and commercial interests abroad using state-sponsored groups. The disconnect in facts presented by the Government when compared to what media houses are reporting has also been a trait of the Governments interactions with the press in all matters including cyber incidents.

Despite the veil of secrecy that is often the Iranian Governments default position, researchers at Sentinel One were able to recover many of the attack components, previously discovered by an Iranian cybersecurity firm, to discover what and possibly who was behind the attack. Spoiler alert, no attribution has been made to a particular already existing group, rather it would seem that the Iranian government has made a new enemy capable of crippling critical infrastructure.

Meteor Express

The entire attack campaign has been called Meteor Express by Juan Andres Guerrero-Saade the researcher behind the Sentinel One’s publication. The attack begins with the attackers abusing Group Policy to distribute a cab file to conduct their attack. The tool kit used by the attackers includes a combination of batch files orchestrating different components dropped from RAR archives.

The archives are then decompressed to supply the attacker with an executable, rar.exe, and a password to be used upon execution. Researchers discovered that the wiper payload is split into two components one for encryption while the other is used to corrupt the Master Boot Record (MBR).

Wiper malware first appeared in 2012 and is a class of malware that looks to actively destroy data. The use of wipers for financially motivated cybercrimes is rare as the data can be leveraged to earn a payday.

Ransomware is an example of this, while it encrypts data, users can decrypt the data once the ransom is provided and the decryption key is handed over. Wipers look to permanently destroy data and are primarily used by state-sponsored groups.

Interestingly enough, wipers have been used in the past by both Iranian and North Korean state-sponsored groups. Iranian state-sponsored groups have developed a reputation for the development and deployment of wipers in the past.

Meteor’s main destructive component is the MBR corruptor, sadly this component could not be fully recovered so the exact details of its operation are unknown. Researchers noted,

“There’s a strange level of fragmentation to the overall toolkit. Batch files spawn other batch files, different rar archives contain intermingled executables, and even the intended action is separated into three payloads: Meteor wipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR. We have been able to identify two out of three components and detail their inner workings below…The main payload of this convoluted attack chain is an executable dropped under env.exe or msapp.exe. Internally, the coders refer to it as ‘Meteor’. While this particular instance of Meteor suffers from a crippling OPSEC failure (the inclusion of verbose debug strings presumably intended for internal testing), it’s an externally configurable wiper with an extensive set of features.”

Researchers also pointed out that components regarding the MBR corruptor that were found resembled those found in another infamous wiper, NotPetya. It was further discovered that the wiper component is executed as a scheduled task called mstask and set to run at five minutes to midnight.

It’s supplied with a single argument, an encrypted JSON configuration file, msconf.conf. To delete files, the malware follows its encryption path and also makes sure to delete shadow copies. The malware then removes the machine from the domain to avoid means of quick remediation. This is only a small set of the wipers features with the malware also capable of doing the following:

  • Changing passwords for all users
  • Disabling screensavers
  • Process termination based on a list of target processes
  • Installing a screen locker
  • Disabling recovery mode
  • Changing boot policy error handling
  • Creating scheduled tasks
  • Logging off local sessions
  • Changing lock screen images for different Windows versions (XP, 7, 10)
  • Creating processes and executing commands

To make all this possible the code is written with several sanity checks, error checks, and in-built redundancy. This level of complexity may have led to the developers making a critical error. Researchers pointed out that developers included a wealth of debug strings meant for internal testing when compiling the binary.

This provides researchers with a wealth of information and also shows that the attackers lack an effective deployment pipeline, this would typically remove these errors from hitting the deployment phase. Further, researchers noted,

“Secondly, the code is a bizarre amalgam of custom code that wraps open-source components (cpp-httplib v0.2) and practically ancient, abused software (FSProLabs’ Lock My PC 4). While that might suggest that the Meteor wiper was built to be disposable, or meant for a single operation, that’s juxtaposed with an externally configurable design that allows efficient reuse for different operations. Many of the available keys are not instantiated in this operation, like the ability to kill specific processes. Additionally, that external configuration is encrypted, presumably to limit analysis, but all of the configurable keys are hardcoded in plaintext within the main binary.”

Who is Responsible?

While no concrete accusations have been leveled at who is responsible for the attack, researchers believe that the attackers may be a cyber mercenary group. Or it might be a result of external training being brought to bear on a known government that actively supports state-sponsored hacking campaigns.

Regardless of the current lack of any attribution, the group has proved to have little in the way of scruples. Their attack on critical infrastructure could have endangered lives.

Researchers further concluded that whoever is responsible is likely an intermediate player, not yet worthy of their pro card. The wiper does boast some slick and well-developed features and functionality but deployment errors illustrate that the group lacks the deployment infrastructure other well-known advanced persistent threat groups successfully exploit.

This does not by any means show that the group is not a threat and learning from past mistakes is a precursor to success, even if that success involves disrupting a person’s daily life and potentially placing them in danger.

The irony of using a malware strain whose use is promoted by a government is used to cripple services said the government is responsible for is likely not the lost on the attackers. This leaves one to wonder if future attacks conducted by the group will have a similar calling card.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal