1. Home
  2. Software
  3. Meteor

Meteor

Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.[1]

ID: S0688
Type: MALWARE
Platforms: Windows
Contributors: Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Tsubasa Matsuda, NEC Corporation
Version: 1.0
Created: 07 March 2022
Last Modified: 14 April 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Meteor can use wmic.exe as part of its effort to delete shadow copies.[1]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Meteor can use PowerShell commands to disable the network adapters on a victim machines.[1]
.003 命令与脚本解释器: Windows Command Shell

Meteor can run set.bat, update.bat, cache.bat, bcd.bat, msrun.bat, and similar scripts.[1]
Enterprise T1484 .001 域或租户策略修改: Group Policy Modification

Meteor can use group policy to push a scheduled task from the AD to all network machines.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.[1]
Enterprise T1485 数据销毁

Meteor can fill a victim's files and directories with zero-bytes in replacement of real content before deleting them.[1]
Enterprise T1489 服务停止

Meteor can disconnect all network adapters on a compromised host using powershell -Command "Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }" > NUL.[1]
Enterprise T1106 本机API

Meteor can use WinAPI to remove a victim machine from an Active Directory domain.[1]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs.[1]
.004 移除指标: File Deletion

Meteor will delete the folder containing malicious scripts if it detects the hostname as PIS-APP, PIS-MOB, WSUSPROXY, or PIS-DB.[1]
Enterprise T1491 .001 篡改: Internal Defacement

Meteor can change both the desktop wallpaper and the lock screen image to a custom image.[1]
Enterprise T1082 系统信息发现

Meteor has the ability to discover the hostname of a compromised host.[1]
Enterprise T1490 系统恢复抑制

Meteor can use bcdedit to delete different boot identifiers on a compromised host; it can also use vssadmin.exe delete shadows /all /quiet and C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete.[1]
Enterprise T1531 账号访问移除

Meteor has the ability to change the password of local users on compromised hosts and can log off users.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

Meteor has the ability to search for Kaspersky Antivirus on a victim's machine.[1]
Enterprise T1105 输入工具传输

Meteor has the ability to download additional files for execution on the victim's machine.[1]
Enterprise T1057 进程发现

Meteor can check if a specific process is running, such as Kaspersky's avp.exe.[1]
Enterprise T1564 .003 隐藏伪装: Hidden Window

Meteor can hide its console window upon execution to decrease its visibility to a victim.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Meteor execution begins from a scheduled task named Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll and it creates a separate scheduled task called mstask to run the wiper only once at 23:55:00.[1]

References

  1. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.