This text is sensitive. Try generating new copy.
Iranians are being encouraged to take to the streets in protest after their national railway system was hit by a wiper, an incident authorities say was an act of sabotage but that has been met by a barrage of scorn from opposition activists and some of the country’s most influential social media users. The unusual attack—if that is what it actually was—appeared to be the work of a pro-government troll, who sought to sow confusion and anger in the wake of the June 20 vote to elect a new parliament.
A train in the middle of a desert, hit by a wiper! It did not take long for the Iranian authorities to find the perpetrator, but it took them a lot longer to find an explanation. The most popular theory is that the perpetrator, a man in his thirties whose identity remains unknown, was trying to express his dissatisfaction with the government’s actions.
SentinelLabs security researchers have discovered a never-before-seen wiper as part of their study into the wiper attack on the Iranian train system on July 9th.
The firm acknowledged in a study released on Thursday that its researchers were able to reassemble the attack chain, which included the new wiper. The wiper’s name, Meteor, was exposed as a result of OPSEC errors. MeteorExpress is the name given to the campaign as a result.
The attacks have yet to be linked to a previously identified threat actor, group, or even past strikes. The wiper was invented in the previous three years, according to artefacts, and is designed to be reused.
The whole Iranian train system was struck by a wiper attack on the 9th of July, disrupting services. The onslaught also featured some serious trolling, with commuters being directed to phone 64411, the number for the office of Supreme Leader Ali Khamenei, via screens at railway stations.
In #Iran today, a phone number–64411–was placed on the boards at train stations amid reports of a cyberattack on the rail system. Commuters were directed to contact for more information. It corresponded to the phone number listed on the website of Iran’s Supreme Leader. pic.twitter.com/IQQ85I6QhJ
Iran International English (@IranIntl En) (@IranIntl En) (@IranIntl En) (@Iran 9th of July, 2021
Security researcher Anton Cherepanov pointed revealed an early study of the attack by Padvish, an Iranian antivirus vendor, on July 18th. SentinalLabs was able to retrieve the majority of the attack components listed in the report, as well as a few others that they had overlooked.
The attackers misused Group Policy to distribute a cab file to launch the attack, according to early analysis by Padvish and a recovered attacker artefact that included a list of component names. The majority of the attack, on the other hand, was managed by a series of batch files that were nested alongside their individual components and connected together for sequential execution.
SentinalLabs provided the MeteorExpress attack chain.
Each batch file in the attack chain performs a specific task, such as rendering the machine unusable or cleaning event logs, before calling another batch file to carry out the next phase.
To clean security systems and application event logs, the attackers employed native commands such as wevtutil. The attack also makes use of a program named Sync to manually flush the filesystem cache to disk.
In addition to a variety of batch files (which spawn other batch files) and several RAR archives with multiple.exe files, the intended action is split into three different payloads. All of this adds to the entire assault toolkit’s unusual fragmentation.
This wiper may wipe files in its most basic form. To avoid remediation, it also deletes shadow copies and disconnects the system from the associated domain. Many other aspects, on the other hand, were not used in this attack. These extra features include the following:
- Passwords for all users are being changed.
- Screensavers can be turned off.
- Termination of processes based on a list of target processes
- Putting up a screen locker
- Recovery mode is disabled.
- Changing the way errors are handled in the boot policy
- Creating a task schedule
- Disconnecting from local sessions
- For different Windows versions, you can change the lock screen image (XP, 7, 10)
- Processes are created and commands are executed.
In the news: OpenAI introduces Triton, a CUDA alternative to Nvidia.
When he’s not writing/editing/shooting/hosting all things tech, he streams himself racing virtual vehicles. Yadullah can be reached at [email protected], or you can follow him on Instagram or Twitter.
This text is sensitive. Try generating new copy.. Read more about threatpost and let us know what you think.
This article broadly covered the following related topics:
- dark reading
- the hacker news magazine
- infosecurity magazine