BiBi Wiper

A new variant of the BiBi Wiper malware has been observed targeting the disk partition table, complicating data restoration and extending downtime for its victims. Attacks using BiBi Wiper on Israel and Albania have been traced to a suspected Iranian hacking group known as Void Manticore (Storm-842), believed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS).

Researchers first identified BiBi Wiper in October 2023, which led Israel's CERT to issue a warning in November 2023 about extensive cyberattacks against critical organizations in the country. A recent report has revealed newer versions of the BiBi Wiper along with two other custom wipers, Cl Wiper and Partition Wiper, employed by the same threat group.

The Void Manticore Cybercriminals may Hide Behind Fake Personas

It's suspected that the Void Manticore operates under the guise of the Karma hacktivism group on Telegram, emerging in the wake of the Hamas attack on Israel in October. Karma has taken responsibility for attacks on more than 40 Israeli entities, using Telegram to showcase harvested data or evidence of wiped drives, amplifying the impact of their activities. The Albanian operations involved a persona known as Homeland Justice, and some of the pilfered files were leaked on Telegram.

This tactic closely mirrors the modus operandi of Sandworm (APT44), known for utilizing hacktivist-themed Telegram channels such as the XakNet Team, CyberArmyofRussia_Reborn and Solntsepek.

An intriguing revelation is that the Void Manticore seems to delegate control of compromised infrastructure to Scarred Manticore in certain cases. The Scarred Manticore specializes in establishing initial access, often exploiting vulnerabilities like the Microsoft Sharepoint CVE-2019-0604 flaw, conducting SMB lateral movement, and harvesting emails. Once infiltrated, these organizations are then passed to Void Manticore for payload injection, further lateral movement within the network, and the deployment of data-wiping mechanisms.

The BiBi Wiper Continues to Evolve Its Destructive Capabilities

The Void Manticore employs a range of tools for its destructive activities, including Web shells, manual deletion tools, custom wipers and credential verification tools.

The latest iterations of the BiBi Wiper malware tamper with non-system files by replacing them with random data and appending a randomly generated extension containing the 'BiBi' identifier. BiBi manifests in both Linux and Windows variants, each with distinct characteristics and operational nuances.

In Linux environments, BiBi initiates multiple threads corresponding to the available CPU cores to expedite the wiping process. Conversely, the Windows version of BiBi excludes .sys, .exe, and .dll files to prevent rendering the system unbootable.

In contrast to previous iterations, the updated variants exclusively target Israeli systems and refrain from erasing shadow copies or disabling the system's Error Recovery screen. However, they now eliminate partition information from the disk, heightening the challenge of data recovery.

The Partition Wipers focus specifically on the system's partition table, rendering the disk layout irretrievable. This complicates efforts to restore data and amplifies the extent of the damage inflicted. Victims often encounter a blue screen of death (BSOD) or system crashes upon reboot, as these wipers affect both the Master Boot Record (MBR) and GUID Partition Table (GPT) partitions.