A new iteration of the BiBi Wiper malware now obliterates the disk partition table, complicating data recovery efforts and extending the downtime for its victims.
BiBi Wiper attacks on Israel and Albania have been linked to a suspected Iranian hacking group known as ‘Void Manticore’ (Storm-842), believed to be associated with Iran’s Ministry of Intelligence and Security.
Security Joes identified BiBi Wiper in October 2023, and its actions led to an alert from Israel’s CERT in November 2023 regarding extensive cyberattacks targeting crucial national infrastructure.
Recent research from Check Point Research unveils updated versions of the BiBi Wiper, along with two additional custom wipers used by the same threat actor: Cl Wiper and Partition Wiper.
The study also highlights operational similarities between Void Manticore and ‘Scarred Manticore,’ another Iranian threat group, suggesting a potential collaboration between the two.
The Art of Deception: Unmasking Fake Personas in Cyber Attacks
CheckPoint suspects Void Manticore hides behind the Telegram hacktivism group ‘Karma’, which formed in response to the Hamas attack on Israel in October.
Karma has claimed attacks on more than 40 Israeli businesses, posting stolen data or evidence of erased drives on Telegram to increase the impact of their operations.
A identity used in the Albanian attacks, known as ‘Homeland Justice,’ leaked some of the stolen material on Telegram.
This method is similar to that used by Sandworm (APT44), which Mandiant claims operates behind hacktivist-branded Telegram channels such as XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek.
Interestingly, Void Manticore has occasionally transferred ownership of weakened infrastructure to Scarred Manticore.
Scarred Manticore specializes in acquiring initial access by primarily attacking the Microsoft SharePoint CVE-2019-0604 vulnerability, performing SMB lateral movement, and harvesting email addresses.
Once an organization has been hacked, control is transferred to Void Manticore, which handles payload injection, lateral movement inside the network, and data wiper deployment.
Void Manticore: The Ultimate Arsenal for Cyber Warriors
Void Manticore uses a variety of tools to carry out its destructive actions, including web shells, manual deletion utilities, bespoke wipers, and credential verification tools.
The first payload delivered to a hacked web server is Karma Shell, a custom web shell disguised as an error page. Karma Shell can list folders, create processes, upload files, and manage services.
Check Point discovered that the latest versions of BiBi Wiper overwrite non-system files with random data and add a randomly generated extension with the “BiBi” string.
BiBi Wiper is available for both Linux and Windows, with distinct features and small operational changes.
For example, under Linux, BiBi creates many threads dependent on the amount of CPU cores available to speed up the wiping operation. On Windows, BiBi skips.sys ,.exe, and.dll files to keep the system from becoming unbootable.
Unlike prior versions, the new variants only target Israeli systems and do not delete shadow copies or disable the system’s Error Recovery screen. However, they now remove partition information from the drive, hampering data recovery efforts.
The CI Wiper, first discovered in assaults on Albanian systems, used the ‘ElRawDisk’ driver to perform wiping operations, overwriting the physical drive contents with a predetermined buffer.
Partition Wipers are intended to deliberately target the system’s partition table, rendering disk layout recovery impossible and complicating data restoration operations while increasing damage.
Because wiper assaults affect both the Master Boot Record (MBR) and GUID Partition Table (GPT) partitions, users typically see a blue screen of death (BSOD) or system crashes when rebooting.
Stay Tuned for more updates and thank you for choosing PCZIPPO.
Leave a Reply