A wiper malware was used to stop the functioning of the train services of Iran in the campaign as reported by SentinelLabs. The name of the campaign is MeteorExpress. They have been detected to use Meteor wiper, a malware which is seen for the first time.
The researchers reported that on July 9, this malware was deployed to infect the railway systems of Iran and immobilize them. A message was displayed which instructed to complain by calling on the Iranian Supreme Leader’s office phone number.
The analysis of the attack led to the discovery that the attackers infected the system with cab files for the attack by compromising the group policy. The components of the malware were divided on the basis of their functionality. The function of the meteor was to encrypt the filesystem, nti[.]exe was used to target the MBR, and the mssetup[.]exe’s main function was to lock the system or the screen.
Some additional insights-
The researchers also found out that the main payload which was delivered in the attack is a .exe dropper. The wiper was referred to as Meteor internally just because of an OPSEC mistake. Also, not all the components of the tools were used in the attack. Its ability to change the password and user id, create scheduled tasks, etc. were not utilized.
The attackers seem to have thorough knowledge about their target and they are fully capable of launching a successful attack. All these facts point towards serious threats cyber incidents.