Void Manticore Attacking Organizations with Destructive Wiper Malwares

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Hackers exploit wipers and ransomware as tools for bringing organizations down since these tools can cause huge disruption and damage in large numbers. 

Wipers can delete data in an irretrievable manner, such that ransomware locks data and requests a ransom, all of which can amount to huge financial losses and downtime in operations.

Cybersecurity researchers at Check Point Research recently identified that Void Manticore has been actively attacking organizations with destructive attacks using wipers and ransomware.

Void Manticore Attacking Organizations

Since October 2023, an Iranian group called Void Manticore conducted destructive attacks using wipers and ransomware against Israeli organizations. 

They leaked data under the ‘Karma’ persona and used a custom wiper named ‘BiBi’. Void Manticore collaborated with another group, “Scarred Manticore,” exchanging victims.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Their tactics were basic but benefited from Scarred Manticore’s sophisticated access to high-value targets.

The hacking group ‘Karma’ emerged out of the conflicts in the Middle East, using the ‘BiBi’ wiper and an anti-zionist persona that opposed Israeli PM Netanyahu. 

While initially seen as typical hacktivists, Karma made a name for itself through a campaign to publicize intrusions of over 40 Israeli entities and data-dumping them. 

Attribution revealed a high degree of overlap between the leaks of Karma and the victims of the Iranian group Scarred Manticore. 

Timeline of the Void-Scarred Connection (Source – Check Point)

Digital forensics revealed another postaccess persona, Void Manticore, through a “handoff” process involving web shells and shared credentials that allowed Void Manticore to deploy BiBi on Scarred Manticore’s prior victims, Check Point said.

What is noticeable about the Void Manticore is their use of simple and direct methods of attack, which might be called “quick and dirty.” They most often initially compromise internet-connected servers using web shells such as “Karma Shell.” 

They use RDP to validate domain admin credentials, drop tunneling shells (like reGeorge), and reconnaissance information. 

They create their own wipers either to corrupt some specific file types for a targeted effect or destroy the entire partition table, consequently rendering all disk data unavailable. 

This has been done purposely by them because it aligns with their objective of performing quick destructive wiper attacks that follow hand-off access from other groups.

Here below, we have mentioned all the wipers used:-

  • Cl Wiper
  • Partition Wipers
  • BiBi Wiper

Apart from their custom wipers, Void Manticore uses normal methods such as “Windows Explorer” for file deletion and Sysinternals SDelete for secure wiping or corrupting partitions using the format utility.

They employ unlike identifications like “Homeland Justice” and “Karma” in order to make tailored communications that turn political confrontation into weapons of destruction.

Their close alliance with an advanced group Scarred Manticore who at times share victims’ documented handovers makes Void Manticore’s reach even more extensive and impactful which helps in making them a highly dangerous Iranian threat actor.








ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service