Meteor Wiper Malware Hits Iranian Railways

In recent years we have seen a massive change in the way cybercriminals operate. Instead of using destructive malware, they have focused on developing complicated extortion schemes or high-quality malware that steals sensitive data from the victim. While these operations are very profitable, there are still some threat actors that rely on the classic destructive malware. One of the popular implants that fit this category are the so-called 'wipers.' They behave in a manner similar to ransomware, but there is one major difference – they delete files instead of encrypting them. Naturally, the criminals do not offer a recovery option, nor do they ask for money – their goal is to be as destructive as possible.

Meteor Wiper Malware Enters the Scene

In July, cybersecurity experts identified a new implant, which fits the description above – the Meteor Wiper Malware. It was used in a large-scale attack against the Iranian railway agency. Although 'file deletion' might sound like a simple task, you can rest assured that threats like the Meteor Wiper Malware are not basic at all. They usually perform a long list of tasks to make sure that their execution goes flawlessly and that the victim will not have time to react.

In the case of the Meteor Wiper Malware, it seems that the attack might be politically-motivated – however, the political allegiance or origin of the attackers is not yet clear. During the attack, the railway's message boards were spammed with messages telling passengers to call a specific phone for more details. The phone, however, does not belong to the railway – calling it would get passengers in touch with the office of Supreme Leader Ali Khamenei.

Meteor Wiper Malware's attack involves multiple stages to ensure flawless execution. The initial infection vector is not clear. Once running, the wiper uses several components to carry out the attack:

• Setup.bat – tampers with the Windows Group Policy to make it possible to copy the malicious executables to other systems on the same network. It also checks for the presence of antivirus software, disables Windows Defender, and temporarily disconnects the computer from the Internet. It also wipes out Windows Event Logs and proceeds to execute three files.
• Env.exe or msapp.exe – both files serve an identical system, but their names differ. These host the wiper component, which deletes files.
• Nti.exe – a MBR locker, which overrides the MBR (Master Boot Record) to prevent PCs from booting.
• Mssetup.exe – a screen locker, which displays an image and a message to the victim.

Typically, destructive attacks like the one that the Meteor Wiper Malware carries out are meant to deliver a message. However, the threat actors do no such thing – they do not have demands, they do not cite their motivation, and they leave the victim in the dark. We are yet to see whether the Meteor Wiper Malware will go after another agency or company.