The new BiBi Wiper version also destroys the disk partition table

A new version of the BiBi Wiper malware now deletes the disk partition table to make data recovery more difficult, increasing downtime for targeted victims.

BiBi Wiper attacks on Israel and Albania have been linked to a suspected Iranian hacking group called ‘Void Manticore’ (Storm-842), which is believed to have ties to Iran’s Ministry of Intelligence and Security (MOIS).

BiBi Wiper was first spotted by Security Joes in October 2023, and its activities led to an alert from Israel’s CERT in November 2023 about large-scale offensive cyber operations using it against critical organizations in the country.

A new report from Check Point Research reveals newer variants of the BiBi wiper and two other modified wipers used by the same threat group, namely Cl Wiper and Partition Wiper.

The report also points to operational overlaps between Void Manticore and ‘Scarred Manticore’, another Iranian threat group, and suggests cooperation between the two.

Fake personas and cooperative attacks

CheckPoint suspects that Void Manticore is hiding behind the hacktivism group ‘Karma’ on Telegram, which appeared after the Hamas attack on Israel in October.

Karma has claimed attacks on more than 40 Israeli organizations, publishing stolen data or evidence from wiped drives on Telegram to magnify the damage of their activities.

A character used for the Albanian attacks is called ‘Homeland Justice’, which caused some of the stolen files to be leaked on Telegram.

This strategy is very similar to the approach taken by Sandworm (APT44), which according to Mandiant is hiding behind hacktivist brand Telegram channels such as XakNet Team, CyberArmyofRussia_Reborn and Solntsepek.

Another interesting finding is that in some cases Void Manticore appears to have transferred control of the compromised infrastructure to Scarred Manticore.

Scarred Manticore focuses on establishing initial access primarily by exploiting the Microsoft Sharepoint CVE-2019-0604 flaw, performing lateral SMB moves, and collecting emails.

The compromised organizations are then handed over to Void Manticore, which carries out the payload injection, lateral movement on the network and data eraser deployment phases.

Collaboration diagram between Scarred and Void Manticore
Source: Checkpoint

Invalidate Manticore tools

Void Manticore uses several tools to perform its destructive operations, including web shells, manual removal tools, custom wipers, and credential verification tools.

Karma Shell is the first payload deployed on a compromised web server. This is a custom web shell, disguised as an error page, that can display directories, create processes, upload files, and manage services.

Commands executed via Karma Shell
​​​​​Source: Checkpoint

The newer versions of the BiBi Wiper that Check Point has seen corrupt non-system files with arbitrary data and add a randomly generated extension containing the string “BiBi”.

BiBi has both a Linux and Windows variant, each with some unique features and minor operational differences.

For example, on Linux, BiBi will spawn different threads based on the number of CPU cores available to speed up the erase process. On Windows, BiBi skips the .sys, .exe, and .dll files to prevent system failure.

Compared to previous malware versions, the newer variants are only configured to target Israeli systems and do not remove shadow copies or disable the system’s error recovery screen. However, they now delete partition information from the drive, making it more difficult to recover data.

Partition wipe code in BiBi and Partition Wipers
Source: Checkpoint

The CI Wiper, first seen in attacks on Albanian systems, uses the ‘ElRawDisk’ driver to perform wipe operations, overwriting the physical disk contents with a predefined buffer.

Partition wipers specifically target the system’s partition table so that the disk layout cannot be recovered, complicating data recovery efforts and maximizing the damage done.

Attacks from these wipers often result in victims receiving a blue screen of death (BSOD) or system crashing on reboot, as they affect both the Master Boot Record (MBR) and GUID Partition Table (GPT) partitions.

Leave a Reply

Your email address will not be published. Required fields are marked *