Intel471-Logo-white.png

Meteor Wiper

Jul 16, 2021

OVERVIEW

The Meteor or Meteor Express malware variant was first seen when the Iranian railway system and the Ministry of Roads and Urban Development system became the target of the malware's attack in July 9th of 2021. The attack was attributed to the regime opposition group named Indra. The variant is considered a type of Wiper malware, consisting of 3 stages:

1. Defense Evasion (adding files/folders to exclusion lists),

2. Corruption of Master Boot Records, and

3. Payload execution that corrupts and wipes files/folders on victim's system.

Similar to Notpetya, the intent is destruction and making the victim's machine unrecoverable.

TARGETING

Meteor, as of July 2022, has been observed being used in campaigns targeting Iranian government bodies related to Transportation - the Iranian railway system and the Ministry of Roads and Urban Development system in particular during the July campaign. The threat actor, Indra, have been observed targeting Syrian companies that have ties to Iran as well.

DELIVERY

During the July 2021 Iranian attacks, it is believed that the attackers had previous access to the system before the execution of the malware. The delivery method observed utilized batch script files and RAR archive files.

INSTALLATION

Meteor goes through a process of installation before unleashing the main payload on the victim's system. This process includes the downloading of malicious cab archives, disconnecting the machine from networks, and defense evasion via manipulation of AV exclusion lists. The variant then corrupts the boot process by overwriting the boot file associated with content that renders it unbootable if restarted or shutdown/started. The wiper is then executed, which sprawls the machine for specified files and directories and deletes them, as well as deleting shadow copies in the process.

PERSISTENCE

Persistence is achieved through the observed creation of a scheduled task that is executed every time the system starts.

Get the Free Hunt Packages!

Check Out Other Emerging Threats >

Related Articles

Intel 471 Logo 2024.png
Emerging Threats//

CrazyHunter Ransomware

CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.

Intel 471 Logo 2024.png
Emerging Threats//

DevMan Ransomware

DevMan Ransomware is a newly emerging ransomware operation observed in 2025 that has been assessed as a derivative of the DragonForce ransomware family.

Intel 471 Logo 2024.png
Emerging Threats//

Gootloader Malware Update

Gootloader resurfaced with enhanced capabilities, building on the multi-stage loader malware first seen in 2020.