Cyberattack on Iranian train system

A cyberattack happened earlier this month, on 9th July, when a security researcher found that a never-before-seen wiper malware dubbed Meteor was used in the cyberattack on Iran’s railway system, which delayed rail operations and insulted Iran’s authorities via hacked public transit display panels.

According to a report by Juan Andres Guerrero-Saade at Sentinel Systems, the initial assault, called MeteorExpress, happened on 9th July, when “a wiper attack paralyzed the Iranian train system.”

Customers were urged to call “64411,” displayed on all the message boards in the train station, the number for the office of Supreme Leader Ali Khamenei, for more information after the assault disrupted service. Unfortunately, early reports were mostly ignored because it is usual for Iranian authorities to blame cyberattacks before withdrawing their accusations later casually. However, it’s never a bad idea to double-check.

According to a published report, the following day, attackers also hit the website and computer systems of the employees of Iran’s the Ministry of Roads and Urban Development.

According to experts from Iranian antivirus firm Amn Pardaz and SentinelOne, the MeteorExpress campaigns have not been related to any previously identified threat group or other cyberattacks, making it the first occurrence involving deploying this malware. Meteor has reportedly been under development for the past three years.

SentinelOne’s Principal Threat Researcher, Juan Andres Guerrero-Saade, noted that:

“Despite a lack of specific indicators of compromise, we were able to recover most of the attack components. Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker,” adding the offensive is “designed to cripple the victim’s systems, leaving no recourse to simple remediation via domain administration or recovery of shadow copies.”

According to Guerrero-Saade, SentinelLabs researchers recreated most of the assault chain in the train system. They uncovered the new malware, which the threat actors, who also appear to be a new set of enemies still discovering their attack rhythm–dubbed Meteor.

Guerrero-Saade credited security researcher Anton Cherepanov with spotting an early analysis of the assault written in Farsi by an Iranian antivirus company, which assisted researchers in recreating the attack:

“We would like to acknowledge security researcher Anton Cherepanov who pointed out an early analysis (Farsi) by an Iranian antivirus company. Despite a lack of specific indicators of compromise, we were able to recover most of the attack components described in the post along with additional components they had missed. Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker.”

Recreating the cyberattack

According to SentinelLabs, the toolkit that organized the attack was made up of a collection of batch files that integrated various components extracted from RAR archives. The attackers employed a chain of batch files stacked alongside their respective components to carry out the attack.

“The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted configuration, nti.exe corrupts the MBR, and mssetup.exe locks the system,” says Guerrero-Saade.

“The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted configuration, nti.exe corrupts the MBR, and mssetup.exe locks the system,” says Guerrero-Saade.

Researchers collected “a surprising amount of files” for a wiper attack but were unable to reconstruct them all. The MBR corrupter, nti.exe, was one of the notable missing components; its absence is significant because the files overwritten by this component are the same as those overwritten by the notorious NotPetya ransomware, which weakened organizations around the world in 2017, according to Guerrero-Saade.

Despite the attack’s success, researchers discovered ” a strange level of fragmentation to the overall toolkit,” he said. He also added that:

“Batch files spawn other batch files, different RAR archives contain intermingled executables, and even the intended action is separated into three payloads: Meteor wipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR.”

The components of the cyberattack

In the study, researchers recognized and elaborated on two of the three payloads. According to the report, the main payload, the Meteor wiper, is an executable that is dropped under env.exe or msapp.exe and runs as a scheduled task with a single argument–an encrypted JSON configuration file, msconf. conf that holds values for corresponding keys contained in cleartext within the binary.

source: labs.sentinelone.com

Guerrero-Saade noted that: “At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these paths, wiping files. It also makes sure to delete shadow copies and removes the machine from the domain to avoid means of quick remediation.”

He also pointed out that the wiper had a lot more capability than the one used in the Iranian train attack. It can, among other actions:

  • modify all users’ passwords
  • disable screensavers
  • end processes based on a list of targets
  • install a screen locker
  • deactivate recovery mode
  • adjust boot policy error handling
  • establish scheduled tasks
  • log off local sessions

The fact that it has such a wide range of capabilities suggests that Meteor isn’t just a one-off, but its authors intend for it to be used in further attacks, Guerrero-Saade said.

According to the research, MeteorExpress attackers also released mssetup.exe, a separate screen locker that prevents user input before generating a window that fills the full screen before disabling the cursor and locking the user out completely.

Beginner hackers?

According to researchers, despite its success in the MeteorExpress assault, the threat organization appears to be improving its skills and figuring things out, as indicated by Meteor’s code and capabilities’ “contradictory” practices.

“First, the code is rife with sanity checks, error checking, and redundancy in accomplishing its goals. However, the operators clearly made a major mistake in compiling a binary with a wealth of debug strings meant for internal testing,” Guerrero-Saade noted.

Meteor’s base also includes a “bizarre amalgam of custom code” that uses open-source components and “practically ancient” software, FSProLabs’ Lock My PC 4, referring to the attackers’ general experimental nature, he said.

Guerrero-Saade pointed out that “while that might suggest that the Meteor wiper was built to be disposable, or meant for a single operation,” this code is “juxtaposed with an externally configurable design that allows efficient reuse for different operations.”

Overall, the MeteorExpress components evaluated by researchers point to a new, intermediate-level participant in the attack field, “whose different operational components sharply oscillate from clunky and rudimentary to slick and well-developed,” he concluded.

Sources: