Security News > 2021 > July > Researchers Link Mysterious 'MeteorExpress' Wiper to Iranian Train Cyberattack
Following cryptic reports of a malware attack that paralyzed the Iranian train system on July 9, SentinelOne threat hunters reconstructed the attack chain and discovered a destructive wiper component that could be used to scrub data from infected systems.
In a research paper, SentinelOne threat hunter Juan Andres Guerrero-Saade said the never-before-seen wiper was developed in the past three years and appears designed for reuse in multiple campaigns.
Based on artifacts found in the malware files, SentinelOne is using the MeteorExpress codename to identify the wiper.
"[This has] the fingerprints of an unfamiliar attacker," Guerrero-Saade said, noting that his team was unable to capture all the files associated with the wiper component of the malware.
"While we were able to recover a surprising amount of files for a wiper attack, some have eluded us. The MBR corrupter 'nti.exe' is most notable among those missing components," Guerrero-Saade explained.
"At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these paths, wiping files. It also makes sure to delete shadow copies and removes the machine from the domain to avoid means of quick remediation," he said.