{
	"id": "a882c2df-234a-4a14-b57b-90eae17bf1a9",
	"created_at": "2026-04-10T03:20:58.179757Z",
	"updated_at": "2026-04-10T03:22:18.957605Z",
	"deleted_at": null,
	"sha1_hash": "256a72f0efb72511293d59df561c5ef7c0f95625",
	"title": "Novel Meteor Wiper Used in Attack that Crippled Iranian Train System",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68641,
	"plain_text": "Novel Meteor Wiper Used in Attack that Crippled Iranian Train\r\nSystem\r\nBy Elizabeth Montalbano\r\nPublished: 2021-07-30 · Archived: 2026-04-10 03:11:44 UTC\r\nA July 9th attack disrupted service and taunted Iran’s leadership with hacked screens directing customers to call\r\nthe phone of Iranian Supreme Leader Khamenei with complaints.\r\nAn attack earlier this month on Iran’s train system, which disrupted rail service and taunted Iran’s leadership via\r\nhacked public transit display screens, used a never-before-seen wiper malware called Meteor that appears to have\r\nbeen design for reuse, a security researcher has found.\r\nThe initial attack, dubbed MeteorExpress, occurred July 9, when “a wiper attack paralyzed the Iranian train\r\nsystem,” according to a report by Juan Andres Guerrero-Saade at SentinelOne.\r\nThat attack disrupted service and directed customers via all of the displays and message boards at the train station\r\nto call “64411”–the number for the office of Supreme Leader Ali Khamenei—for more information.\r\nThe next day, attackers also hit the website and computer systems of the staff of Iran’s the Ministry of Roads and\r\nUrban Development, according to a published report.\r\nSentinelLabs researchers reconstructed most of the attack chain in the train-system and discovered the novel\r\nwiper, which the threat actors—who also appear to be a new set of adversaries still finding their attack rhythm–\r\nrefer to as Meteor, Guerrero-Saade wrote.\r\nGuerrero-Saade credited security researcher Anton Cherepanov with identifying an early analysis of the event\r\nwritten in Farsi by an Iranian antivirus company as helping researchers recreate the attack.\r\nWhat they discovered is that “behind this outlandish tale of stopped trains and glib trolls” are “the fingerprints of\r\nan unfamiliar attacker,” using a wiper that “was developed in the past three years and was designed for reuse,”\r\nGuerrero-Saade wrote.\r\nReconstructing the Attack\r\nOverall, the toolkit that orchestrated the attack was comprised of a combination of batch files that implemented\r\ndifferent components dropped from RAR archives, according to SentinelLabs. Attackers used the batch files,\r\nnested alongside their respective components, in a chain to successfully execute the attack.\r\nhttps://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/\r\nPage 1 of 3\n\n“The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted\r\nconfiguration, nti.exe corrupts the MBR, and mssetup.exe locks the system,” Guerrero-Saade wrote.\r\nResearchers recovered “a surprising amount of files” for a wiper attack, but did not manage to reconstruct them\r\nall. One missing notable component was the MBR corrupter, nti.exe; its absence is significant because files\r\noverwritten by this component are the same as those overwritten by the notorious NotPetya ransomware, which\r\ncrippled organizations around the world in 2017, Guerrero-Saade noted.\r\nDespite the attack’s success, however, researchers found “a strange level of fragmentation to the overall toolkit,”\r\nhe said.\r\n“Batch files spawn other batch files, different RARarchives contain intermingled executables, and even the\r\nintended action is separated into three payloads: Meteor wipes the filesystem, mssetup.exe locks the user out, and\r\nnti.exe presumably corrupts the MBR,” Guerrero-Saade wrote.\r\nSpecific Attack Components\r\nResearchers identified and elaborated two of those three payloads in the report. One is the main payload, the\r\nMeteor wiper, which comes in the form of an executable dropped under env.exe or msapp.exe,and is executed as a\r\nscheduled task with a single argument–an encrypted JSON configuration file, msconf.conf, that holds values for\r\ncorresponding keys contained in cleartext within the binary, according to the report.\r\n“At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these\r\npaths, wiping files,” Guerrero-Saade wrote. “It also makes sure to delete shadow copies and removes the machine\r\nfrom the domain to avoid means of quick remediation.”\r\nThe wiper also includes much more functionality that was not used in the Iranian train attack, he noted. It can:\r\nchange passwords for all users; disable screensavers; terminate processes based on a list of target processes; install\r\na screenlocker; disable recovery mode; changesboot policy error handling; create scheduled tasks; and log off\r\nlocal sessions, among other actions.\r\nThe fact that it has such broad capabilities seems to suggest that Meteor is not merely a one-off, but that its\r\ncreators intend for it to be used in other attacks, Guerrero-Saade noted.\r\nMeteorExpress attackers also dropped a standalone screenlocker, mssetup.exe,that blocks user input before\r\ncreating a window that fills the entire screen before disabling the cursor and locking the user out entirely,\r\naccording to the report.\r\nNovice Attackers?\r\nDespite its success in the MeteorExpress attack, the threat group seems still to be honing their skills and finding\r\ntheir way, as evidenced by the “contradictory” practices of Meteor’s code and capabilities, researchers observed.\r\n“First, the code is rife with sanity checks, error checking, and redundancy in accomplishing its goals,” Guerrero-Saade wrote. “However, the operators clearly made a major mistake in compiling a binary with a wealth of debug\r\nstrings meant for internal testing.”\r\nhttps://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/\r\nPage 2 of 3\n\nThe guts of Meteor also include a “bizarre amalgam of custom code” that leverages open-source components and\r\n“practically ancient” software–FSProLabs’ Lock My PC 4, pointing to the general experimental nature of the\r\nattackers’ approach, he said.\r\nHowever, “while that might suggest that the Meteor wiper was built to be disposable, or meant for a single\r\noperation,” this code is “juxtaposed with an externally configurable design that allows efficient reuse for different\r\noperations,” Guerrero-Saade wrote.\r\nOverall, the components of MeteorExpress that researchers examined point to a new, intermediate-level player in\r\nthe attack landscape “whose different operational components sharply oscillate from clunky and rudimentary to\r\nslick and well-developed,” he concluded.\r\n080321 14:17 UPDATE: Corrected name of SentinelOne.\r\nWorried about where the next attack is coming from? We’ve got your back.\r\nREGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with\r\nUptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there\r\nfirst. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST\r\nfor this LIVE discussion.\r\nSource: https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/\r\nhttps://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/"
	],
	"report_names": [
		"168262"
	],
	"threat_actors": [],
	"ts_created_at": 1775791258,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/256a72f0efb72511293d59df561c5ef7c0f95625.pdf",
		"text": "https://archive.orkl.eu/256a72f0efb72511293d59df561c5ef7c0f95625.txt",
		"img": "https://archive.orkl.eu/256a72f0efb72511293d59df561c5ef7c0f95625.jpg"
	}
}