The cyber-attack that crippled Iran's national railway system at the beginning of the month was caused by a disk-wiping malware strain called Meteor, not a ransomware attack, as per the research published by security firms Amnpardaz and SentinelOne.
According to Reuters, the attack caused train services to be affected as well as the transport ministry's website to fall down. But the assault wasn't simply meant to cause havoc. A number for travelers to contact for further information about the difficulties was also put into displays at train stations by the attackers.
As per Juan Andres Guerrero-Saade, Principal Threat Researcher at SentinelOne, this is the first time this malware has been used and also stated Meteor is yet to be linked to a previously identified group.
Meteor malware: A part of a well-planned attack
The Meteor wiper was precisely one of three components of a broader malware arsenal placed on the systems of the Iranian railway computers on July 9, according to the firm's research.
The attacks, which SentinelOne tracked under the codename of MeteorExpress, and led to trains being canceled or delayed across Iran, involved:
1.Meteor – malware that wiped the infected computer’s filesystem.
2.A file named mssetup.exe that played the role of an old-school screen locker to lock the user out of their PC.
3.And a file named nti.exe that rewrote the victim computer’s master boot record (MBR).
Although Guerrero-Saade did not state how or where the attack began, he did mention that once inside a network, the attackers utilized group policies to deploy their malware, deleted shadow volume copies to stop data recovery, and disconnected infected hosts from their local domain controller, to avoid sysadmins from quickly fixing infected systems.
Infected computers' filesystems were deleted after the attack, and their displays flashed a message instructing victims to contact a phone number associated with Supreme Leader Ayatollah Ali Khamenei's office, all as a prank from the attackers' perspective.
The MeteorExpress campaign and wiper assaults appeared to be a witty prank directed at Iranian government officials, the malware employed was not.
Meteor and all of the other MeteorExpress elements comprised "a bizarre amalgam of custom code," according to Guerrero-Saade, that combined open-source components with old software and custom-written parts that were "rife with sanity checks, error checking, and redundancy in accomplishing its goals."
The Meteor code included some of the same features as the screen-locking component or the adjacent deployment batch scripts.
The SentinelOne researcher stated, “Even their batch scripts include extensive error checking, a feature seldom encountered with deployment scripts.”
While certain sections of the malware looked to have been developed by a skilled and professional developer, Guerrero-Saade also notes that the MeteorExpress attack's irregular nature indicates the malware and the overall operation were cobbled together in a hurry by several teams.