| enterprise |
T1531 |
Account Access Removal |
Meteor has the ability to change the password of local users on compromised hosts and can log off users. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
Meteor can use PowerShell commands to disable the network adapters on a victim machines. |
| enterprise |
T1059.003 |
Windows Command Shell |
Meteor can run set.bat, update.bat, cache.bat, bcd.bat, msrun.bat, and similar scripts. |
| enterprise |
T1485 |
Data Destruction |
Meteor can fill a victim’s files and directories with zero-bytes in replacement of real content before deleting them. |
| enterprise |
T1491 |
Defacement |
- |
| enterprise |
T1491.001 |
Internal Defacement |
Meteor can change both the desktop wallpaper and the lock screen image to a custom image. |
| enterprise |
T1484 |
Domain Policy Modification |
- |
| enterprise |
T1484.001 |
Group Policy Modification |
Meteor can use group policy to push a scheduled task from the AD to all network machines. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.003 |
Hidden Window |
Meteor can hide its console window upon execution to decrease its visibility to a victim. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.001 |
Disable or Modify Tools |
Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.001 |
Clear Windows Event Logs |
Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs. |
| enterprise |
T1070.004 |
File Deletion |
Meteor will delete the folder containing malicious scripts if it detects the hostname as PIS-APP, PIS-MOB, WSUSPROXY, or PIS-DB. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Meteor has the ability to download additional files for execution on the victim’s machine. |
| enterprise |
T1490 |
Inhibit System Recovery |
Meteor can use bcdedit to delete different boot identifiers on a compromised host; it can also use vssadmin.exe delete shadows /all /quiet and C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool. |
| enterprise |
T1106 |
Native API |
Meteor can use WinAPI to remove a victim machine from an Active Directory domain. |
| enterprise |
T1057 |
Process Discovery |
Meteor can check if a specific process is running, such as Kaspersky’s avp.exe. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
Meteor execution begins from a scheduled task named Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll and it creates a separate scheduled task called mstask to run the wiper only once at 23:55:00. |
| enterprise |
T1489 |
Service Stop |
Meteor can disconnect all network adapters on a compromised host using powershell -Command "Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }" > NUL. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
Meteor has the ability to search for Kaspersky Antivirus on a victim’s machine. |
| enterprise |
T1082 |
System Information Discovery |
Meteor has the ability to discover the hostname of a compromised host. |
| enterprise |
T1047 |
Windows Management Instrumentation |
Meteor can use wmic.exe as part of its effort to delete shadow copies. |