Comet

Description

(Check Point) The wiping procedure itself is pretty simple. First, the malware goes over the files and directories from the paths_to_wipe config, fills them with zero-bytes instead of their real content, and then deletes them. After the wiping procedure, the malware tries to delete the shadow copies by running the following commands: vssadmin.exe delete shadows /all /quiet **and **C:\Windows\system32\wbem\wmic.exe shadowcopy delete. Finally, the malware enters an infinite loop where it sleeps based on the is_alive_loop_interval value from the configuration file and writes ‘Meteor is still alive.’ to the log in every iteration. If all this rings familiar to you, it should; it’s all straight out from the ransomware playbook — except this isn’t ransomware, which requires delicate orchestration of public-key and private-key cryptography to make the machine ultimately recoverable; this is Nuke-it-From-Orbit-ware. It’s a one-way trip.

Names

Name
Comet
Meteor
Stardust

Type

Wiper

Information

https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/

Other Information

Uuid

0af6db50-df36-41ae-89d1-4f9674b87efe

Last Card Change

2021-11-01

Threat Intelligence Garden

Explorer

Comet

Comet

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks