Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.[1]

ID: S0688
Platforms: Windows
Contributors: Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Tsubasa Matsuda, NEC Corporation
Version: 1.0
Created: 07 March 2022
Last Modified: 14 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1531 Account Access Removal

Meteor has the ability to change the password of local users on compromised hosts and can log off users.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Meteor can use PowerShell commands to disable the network adapters on a victim machines.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Meteor can run set.bat, update.bat, cache.bat, bcd.bat, msrun.bat, and similar scripts.[1]

Enterprise T1485 Data Destruction

Meteor can fill a victim's files and directories with zero-bytes in replacement of real content before deleting them.[1]

Enterprise T1491 .001 Defacement: Internal Defacement

Meteor can change both the desktop wallpaper and the lock screen image to a custom image.[1]

Enterprise T1484 .001 Domain Policy Modification: Group Policy Modification

Meteor can use group policy to push a scheduled task from the AD to all network machines.[1]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Meteor can hide its console window upon execution to decrease its visibility to a victim.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.[1]

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs.[1]

.004 Indicator Removal: File Deletion

Meteor will delete the folder containing malicious scripts if it detects the hostname as PIS-APP, PIS-MOB, WSUSPROXY, or PIS-DB.[1]

Enterprise T1105 Ingress Tool Transfer

Meteor has the ability to download additional files for execution on the victim's machine.[1]

Enterprise T1490 Inhibit System Recovery

Meteor can use bcdedit to delete different boot identifiers on a compromised host; it can also use vssadmin.exe delete shadows /all /quiet and C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.[1]

Enterprise T1106 Native API

Meteor can use WinAPI to remove a victim machine from an Active Directory domain.[1]

Enterprise T1057 Process Discovery

Meteor can check if a specific process is running, such as Kaspersky's avp.exe.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Meteor execution begins from a scheduled task named Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll and it creates a separate scheduled task called mstask to run the wiper only once at 23:55:00.[1]

Enterprise T1489 Service Stop

Meteor can disconnect all network adapters on a compromised host using powershell -Command "Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }" > NUL.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Meteor has the ability to search for Kaspersky Antivirus on a victim's machine.[1]

Enterprise T1082 System Information Discovery

Meteor has the ability to discover the hostname of a compromised host.[1]

Enterprise T1047 Windows Management Instrumentation

Meteor can use wmic.exe as part of its effort to delete shadow copies.[1]