Skip to content

S0688 Meteor

Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called “Indra” since at least 2019 against private companies in Syria.1

Item Value
ID S0688
Associated Names
Version 1.0
Created 07 March 2022
Last Modified 14 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1531 Account Access Removal Meteor has the ability to change the password of local users on compromised hosts and can log off users.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Meteor can use PowerShell commands to disable the network adapters on a victim machines.1
enterprise T1059.003 Windows Command Shell Meteor can run set.bat, update.bat, cache.bat, bcd.bat, msrun.bat, and similar scripts.1
enterprise T1485 Data Destruction Meteor can fill a victim’s files and directories with zero-bytes in replacement of real content before deleting them.1
enterprise T1491 Defacement -
enterprise T1491.001 Internal Defacement Meteor can change both the desktop wallpaper and the lock screen image to a custom image.1
enterprise T1484 Domain Policy Modification -
enterprise T1484.001 Group Policy Modification Meteor can use group policy to push a scheduled task from the AD to all network machines.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Meteor can hide its console window upon execution to decrease its visibility to a victim.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.1
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs.1
enterprise T1070.004 File Deletion Meteor will delete the folder containing malicious scripts if it detects the hostname as PIS-APP, PIS-MOB, WSUSPROXY, or PIS-DB.1
enterprise T1105 Ingress Tool Transfer Meteor has the ability to download additional files for execution on the victim’s machine.1
enterprise T1490 Inhibit System Recovery Meteor can use bcdedit to delete different boot identifiers on a compromised host; it can also use vssadmin.exe delete shadows /all /quiet and C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.1
enterprise T1106 Native API Meteor can use WinAPI to remove a victim machine from an Active Directory domain.1
enterprise T1057 Process Discovery Meteor can check if a specific process is running, such as Kaspersky’s avp.exe.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Meteor execution begins from a scheduled task named Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll and it creates a separate scheduled task called mstask to run the wiper only once at 23:55:00.1
enterprise T1489 Service Stop Meteor can disconnect all network adapters on a compromised host using powershell -Command "Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }" > NUL.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Meteor has the ability to search for Kaspersky Antivirus on a victim’s machine.1
enterprise T1082 System Information Discovery Meteor has the ability to discover the hostname of a compromised host.1
enterprise T1047 Windows Management Instrumentation Meteor can use wmic.exe as part of its effort to delete shadow copies.1