This wiper malware takes data destruction to a whole new level

BiBi Wiper now also deletes the disk partition table

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Security researchers have observed a new version of BiBi Wiper, a destructive piece ofmalwarethat not only wipes all of the data from the disk, but now also deletes the disk partition table as well. As a result,data recoverytakes far more time and effort.

The malware is built for both Linux and Windowsoperating systems, with minor differences between them. Generally speaking, non-system files get corrupted with random data, and also get a randomly generated extension with the “BiBi” string.

The new variant was spotted by Check Point Research, whose experts also found two additional custom wipers called Cl Wiper and Partition Wiper. The malware allegedly belongs to Void Manticore, AKA Storm-842, an Iranian state-sponsored threat actor. Their targets include organizations in Israel, and Albania.

Cooperating with Scarred Manticore

BiBi Wiper is reserved for Israeli victims, while CI Wiper focuses mostly on Albanian targets. Furthermore, BiBi Wiper does not delete shadow copies, or disable the system’s Error Recovery screen. Still, with partition information now also being removed, recovering the data is now significantly harder.

The researchers also claim that Void Manticore cooperates extensively with Scarred Manticore, a separate threat actor also on the payroll of Iran’s Ministry of Intelligence and Security.

Unlike Void Manticore, which usually deploys malware and exfiltrates sensitive data, Scarred Manticore is an initial access broker, whose only assignment is to find a way into their target’s IT infrastructure. Once that goal is achieved, the access is handed over to Void Manticore for further action.

To obtain that access, Scarred Manticore mostly abusesCVE-2019-0604, a vulnerability inMicrosoftSharepoint, to move laterally throughout the network, and steal emails.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Among the different tools in Void Manticore’s arsenal is Karma Shell, a custom web shell that hides behind a fake error page. This web shell lists directories, creates processes, can upload files, and manage servers.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

OLED vs Mini-LED: which TV type is best?