OVERVIEW
The Meteor or Meteor Express malware variant was first seen when the Iranian railway system and the Ministry of Roads and Urban Development system became the target of the malware’s attack in July 9th of 2021. The attack was attributed to the regime opposition group named Indra. The variant is considered a type of Wiper malware, consisting of 3 stages:
1. Defense Evasion (adding files/folders to exclusion lists),
2. Corruption of Master Boot Records, and
3. Payload execution that corrupts and wipes files/folders on victim’s system.
Similar to Notpetya, the intent is destruction and making the victim’s machine unrecoverable.
TARGETING
Meteor, as of July 2022, has been observed being used in campaigns targeting Iranian government bodies related to Transportation – the Iranian railway system and the Ministry of Roads and Urban Development system in particular during the July campaign. The threat actor, Indra, have been observed targeting Syrian companies that have ties to Iran as well.
DELIVERY
During the July 2021 Iranian attacks, it is believed that the attackers had previous access to the system before the execution of the malware. The delivery method observed utilized batch script files and RAR archive files.
INSTALLATION
Meteor goes through a process of installation before unleashing the main payload on the victim’s system. This process includes the downloading of malicious cab archives, disconnecting the machine from networks, and defense evasion via manipulation of AV exclusion lists. The variant then corrupts the boot process by overwriting the boot file associated with content that renders it unbootable if restarted or shutdown/started. The wiper is then executed, which sprawls the machine for specified files and directories and deletes them, as well as deleting shadow copies in the process.
PERSISTENCE
Persistence is achieved through the observed creation of a scheduled task that is executed every time the system starts.
