Security researchers have observed a new version of BiBi Wiper, a destructive malware that not only wipes all data on the disk, but now also deletes the disk partition table. As a result, data recovery requires much more time and effort.
The malware is designed for Linux and Windows operating systems, with minor differences between them. Generally speaking, non-system files get corrupted with random data and also get a randomly generated extension with the string “BiBi”.
As reported by beepcomputer, the new variant was spotted by Check Point Research, whose experts also found two additional custom wipers called Cl Wiper and Partition Wiper. The malware allegedly belongs to Void Manticore, also known as Storm-842, an Iranian state-sponsored threat actor. Their targets include organizations in Israel and Albania.
Cooperating with Scarred Manticore
BiBi Wiper is reserved for Israeli victims, while CI Wiper focuses primarily on Albanian targets. Additionally, BiBi Wiper does not delete snapshots or disable the system error recovery screen. Still, since the partition information is now also deleted, recovering the data is now much more difficult.
Researchers also claim that Void Manticore cooperates extensively with Scarred Manticore, an independent threat actor who is also on the payroll of Iran's Ministry of Intelligence and Security.
Unlike Void Manticore, which typically deploys malware and extracts sensitive data, Scarred Manticore is an initial access intermediary, whose only task is to find a way to access its target's IT infrastructure. Once that goal is achieved, access is handed over to Void Manticore for further action.
To gain that access, Scarred Manticore primarily abuses CVE-2019-0604, a vulnerability in Microsoft Sharepoint, to move laterally across the network and steal emails.
Among the different tools in Void Manticore's arsenal is Karma Shell, a custom web shell that hides behind a fake error page. This web shell lists directories, creates processes, can upload files and manage servers, BleepingComputer stated.