BiBi Wiper Proves to be Highly Destructive Malware Threat

The BiBi wiper has emerged as a formidable threat, linked to Void Manticore, an Iranian cyber threat actor associated with the Ministry of Intelligence and Security (MOIS). This group is known for its destructive wiping attacks and influence operations. Their activities have been particularly impactful in Israel and Albania, with their operations revealing significant overlaps with another group, Scarred Manticore.

Void Manticore: A Profile

Void Manticore, also known as Storm-842, operates under various personas, most notably "Homeland Justice" for attacks in Albania and "Karma" for operations in Israel. This group employs a variety of methods, including custom wipers for Windows and Linux, to carry out their disruptive activities.

Collaboration with Scarred Manticore

Void Manticore's operations often intersect with those of Scarred Manticore (Storm-861), indicating a systematic handoff of targets. This collaboration enables Void Manticore to leverage the access and capabilities of Scarred Manticore, enhancing the effectiveness of their attacks.

Void Manticore’s TTPs are relatively straightforward, often involving manual deletion of files and lateral movements using Remote Desktop Protocol (RDP). Their tools are basic, mostly publicly available, and include various web shells like the "Karma Shell."

The BiBi Wiper

A hallmark of Void Manticore's operations in Israel is the deployment of the BiBi wiper, named after Israeli Prime Minister Benjamin Netanyahu. This custom wiper has been used extensively against Israeli organizations, with variants for both Linux and Windows systems.

Linux Version

The Linux version of the BiBi wiper, known as bibi-linux.out, corrupts files with random data and renames them with random names and the “.BiBi” extension. It avoids infecting files essential for the OS to maintain the wiping process.

Windows Version

The Windows variant, bibi.exe, follows a similar pattern but includes additional features like deleting shadow copies and disabling error recovery triggers. It also avoids destroying critical system files, ensuring the wiper can operate effectively.

Influence Operations: The Role of “Karma”

The "Karma" persona plays a crucial role in Void Manticore's strategy, particularly in Israel. Initially perceived as part of a broader hacktivist effort, Karma gained prominence through its association with the BiBi wiper. This persona has successfully targeted over 40 Israeli organizations, focusing on wiping, stealing, and publishing data.

The cooperation between Void Manticore and Scarred Manticore illustrates a high degree of coordination, enabling Void Manticore to access high-value targets and execute their destructive activities efficiently. This collaboration, combined with their influence operations, positions Void Manticore as a significant threat within the Iranian cyber landscape.

From Albania to the Middle East

Void Manticore's operations extend beyond Israel, with notable activities in Albania. The handoff procedure observed in attacks against both nations suggests a routine process of target transition between Scarred Manticore and Void Manticore. This method was particularly evident in the destructive attacks against Albania, where Void Manticore deployed wipers similar to those used in Israel.

Conclusion

Void Manticore, through its destructive wiper attacks and strategic use of online personas, has established itself as a dangerous and coordinated threat actor. Their collaboration with Scarred Manticore and use of the BiBi wiper highlight their capability to inflict significant damage and influence political narratives in the regions they target.