This wiper malware takes data destruction to a whole new level

Malware Magnifying Glass
Image Credit: Shutterstock (Image credit: Andriano.cz / Shutterstock)

Security researchers have observed a new version of BiBi Wiper, a destructive piece of malware that not only wipes all of the data from the disk, but now also deletes the disk partition table as well. As a result, data recovery takes far more time and effort. 

The malware is built for both Linux and Windows operating systems, with minor differences between them. Generally speaking, non-system files get corrupted with random data, and also get a randomly generated extension with the “BiBi” string.

The new variant was spotted by Check Point Research, whose experts also found two additional custom wipers called Cl Wiper and Partition Wiper. The malware allegedly belongs to Void Manticore, AKA Storm-842, an Iranian state-sponsored threat actor. Their targets include organizations in Israel, and Albania. 

Cooperating with Scarred Manticore

BiBi Wiper is reserved for Israeli victims, while CI Wiper focuses mostly on Albanian targets. Furthermore, BiBi Wiper does not delete shadow copies, or disable the system’s Error Recovery screen. Still, with partition information now also being removed, recovering the data is now significantly harder.

The researchers also claim that Void Manticore cooperates extensively with Scarred Manticore, a separate threat actor also on the payroll of Iran’s Ministry of Intelligence and Security.

Unlike Void Manticore, which usually deploys malware and exfiltrates sensitive data, Scarred Manticore is an initial access broker, whose only assignment is to find a way into their target’s IT infrastructure. Once that goal is achieved, the access is handed over to Void Manticore for further action.

To obtain that access, Scarred Manticore mostly abuses CVE-2019-0604, a vulnerability in Microsoft Sharepoint, to move laterally throughout the network, and steal emails. 

Among the different tools in Void Manticore’s arsenal is Karma Shell, a custom web shell that hides behind a fake error page. This web shell lists directories, creates processes, can upload files, and manage servers.

Via BleepingComputer 

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.