Meteor
Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1531 | Account Access Removal |
Meteor has the ability to change the password of local users on compromised hosts and can log off users.[1] |
|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Meteor can use PowerShell commands to disable the network adapters on a victim machines.[1] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Meteor can run |
||
| Enterprise | T1485 | Data Destruction |
Meteor can fill a victim's files and directories with zero-bytes in replacement of real content before deleting them.[1] |
|
| Enterprise | T1491 | .001 | Defacement: Internal Defacement |
Meteor can change both the desktop wallpaper and the lock screen image to a custom image.[1] |
| Enterprise | T1484 | .001 | Domain or Tenant Policy Modification: Group Policy Modification |
Meteor can use group policy to push a scheduled task from the AD to all network machines.[1] |
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Meteor can hide its console window upon execution to decrease its visibility to a victim.[1] |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.[1] |
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs.[1] |
| .004 | Indicator Removal: File Deletion |
Meteor will delete the folder containing malicious scripts if it detects the hostname as |
||
| Enterprise | T1105 | Ingress Tool Transfer |
Meteor has the ability to download additional files for execution on the victim's machine.[1] |
|
| Enterprise | T1490 | Inhibit System Recovery |
Meteor can use |
|
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.[1] |
| Enterprise | T1106 | Native API |
Meteor can use |
|
| Enterprise | T1057 | Process Discovery |
Meteor can check if a specific process is running, such as Kaspersky's |
|
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Meteor execution begins from a scheduled task named |
| Enterprise | T1489 | Service Stop |
Meteor can disconnect all network adapters on a compromised host using |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Meteor has the ability to search for Kaspersky Antivirus on a victim's machine.[1] |
| Enterprise | T1082 | System Information Discovery |
Meteor has the ability to discover the hostname of a compromised host.[1] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
Meteor can use |
|