This text is sensitive. Try generating new copy.

Iranians are being encouraged to take to the streets in protest after their national railway system was hit by a wiper, an incident authorities say was an act of sabotage but that has been met by a barrage of scorn from opposition activists and some of the country’s most influential social media users. The unusual attack—if that is what it actually was—appeared to be the work of a pro-government troll, who sought to sow confusion and anger in the wake of the June 20 vote to elect a new parliament.

A train in the middle of a desert, hit by a wiper! It did not take long for the Iranian authorities to find the perpetrator, but it took them a lot longer to find an explanation. The most popular theory is that the perpetrator, a man in his thirties whose identity remains unknown, was trying to express his dissatisfaction with the government’s actions.

SentinelLabs security researchers have discovered a never-before-seen wiper as part of their study into the wiper attack on the Iranian train system on July 9th.

The firm acknowledged in a study released on Thursday that its researchers were able to reassemble the attack chain, which included the new wiper. The wiper’s name, Meteor, was exposed as a result of OPSEC errors. MeteorExpress is the name given to the campaign as a result. 

The attacks have yet to be linked to a previously identified threat actor, group, or even past strikes. The wiper was invented in the previous three years, according to artefacts, and is designed to be reused. 


The whole Iranian train system was struck by a wiper attack on the 9th of July, disrupting services. The onslaught also featured some serious trolling, with commuters being directed to phone 64411, the number for the office of Supreme Leader Ali Khamenei, via screens at railway stations.

In #Iran today, a phone number–64411–was placed on the boards at train stations amid reports of a cyberattack on the rail system. Commuters were directed to contact for more information. It corresponded to the phone number listed on the website of Iran’s Supreme Leader. pic.twitter.com/IQQ85I6QhJ

Iran International English (@IranIntl En) (@IranIntl En) (@IranIntl En) (@Iran 9th of July, 2021

Security researcher Anton Cherepanov pointed revealed an early study of the attack by Padvish, an Iranian antivirus vendor, on July 18th. SentinalLabs was able to retrieve the majority of the attack components listed in the report, as well as a few others that they had overlooked.

The attackers misused Group Policy to distribute a cab file to launch the attack, according to early analysis by Padvish and a recovered attacker artefact that included a list of component names. The majority of the attack, on the other hand, was managed by a series of batch files that were nested alongside their individual components and connected together for sequential execution. 

Iranian-train-system-hit-by-unique-wiper-attacker-trolls-theSentinalLabs provided the MeteorExpress attack chain.

Each batch file in the attack chain performs a specific task, such as rendering the machine unusable or cleaning event logs, before calling another batch file to carry out the next phase. 

To clean security systems and application event logs, the attackers employed native commands such as wevtutil. The attack also makes use of a program named Sync to manually flush the filesystem cache to disk. 

In addition to a variety of batch files (which spawn other batch files) and several RAR archives with multiple.exe files, the intended action is split into three different payloads. All of this adds to the entire assault toolkit’s unusual fragmentation. 

This wiper may wipe files in its most basic form. To avoid remediation, it also deletes shadow copies and disconnects the system from the associated domain. Many other aspects, on the other hand, were not used in this attack. These extra features include the following:

  • Passwords for all users are being changed.
  • Screensavers can be turned off.
  • Termination of processes based on a list of target processes
  • Putting up a screen locker
  • Recovery mode is disabled.
  • Changing the way errors are handled in the boot policy
  • Creating a task schedule
  • Disconnecting from local sessions
  • For different Windows versions, you can change the lock screen image (XP, 7, 10)
  • Processes are created and commands are executed.

In the news: OpenAI introduces Triton, a CUDA alternative to Nvidia.

How-much-does-Trello-cost-Plans-compared

When he’s not writing/editing/shooting/hosting all things tech, he streams himself racing virtual vehicles. Yadullah can be reached at [email protected], or you can follow him on Instagram or Twitter.

This text is sensitive. Try generating new copy.. Read more about threatpost and let us know what you think.

This article broadly covered the following related topics:

  • thehackernews
  • dark reading
  • threatpost
  • the hacker news magazine
  • infosecurity magazine
You May Also Like

3 VLOOKUP Limitations in Excel With Best Possible Solutions

One of the most commonly used formulas in Excel is the VLOOKUP…

5 Best Desktops for Live Streaming

Currently, you can buy a PC that can live stream on many…

Asus Vivo V272UA AIO Review

I owned an Asus Vivo V272UA-AB71 (1920×1080 Full HD IPS screen) for…

How to Install Live Lounge APK on FireStick for Movies, Sports, IPTV

FireStick is a great device that can be used to watch all…