Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Meteor

Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.(Citation: Check Point Meteor Aug 2021)
ID: S0688
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 07 Mar 2022
Last Modified: 14 Apr 2022

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Meteor can use PowerShell commands to disable the network adapters on a victim machines.(Citation: Check Point Meteor Aug 2021)

.003 Command and Scripting Interpreter: Windows Command Shell

Meteor can run `set.bat`, `update.bat`, `cache.bat`, `bcd.bat`, `msrun.bat`, and similar scripts.(Citation: Check Point Meteor Aug 2021)

Enterprise T1491 .001 Defacement: Internal Defacement

Meteor can change both the desktop wallpaper and the lock screen image to a custom image.(Citation: Check Point Meteor Aug 2021)

Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

Meteor can use group policy to push a scheduled task from the AD to all network machines.(Citation: Check Point Meteor Aug 2021)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Meteor can hide its console window upon execution to decrease its visibility to a victim.(Citation: Check Point Meteor Aug 2021)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.(Citation: Check Point Meteor Aug 2021)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs.(Citation: Check Point Meteor Aug 2021)

.004 Indicator Removal: File Deletion

Meteor will delete the folder containing malicious scripts if it detects the hostname as `PIS-APP`, `PIS-MOB`, `WSUSPROXY`, or `PIS-DB`.(Citation: Check Point Meteor Aug 2021)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.(Citation: Check Point Meteor Aug 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Meteor execution begins from a scheduled task named `Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll` and it creates a separate scheduled task called `mstask` to run the wiper only once at 23:55:00.(Citation: Check Point Meteor Aug 2021)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Meteor has the ability to search for Kaspersky Antivirus on a victim's machine.(Citation: Check Point Meteor Aug 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.