An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) is using destructive data wiping attacks combined with influence operations to target Israel and Albania.
Tracked as Void Manticore, aka Storm-842, the threat actor operates under multiple online personas in which the primary alias includes “Homeland Justice” for attacks in Albania and “Karma” for those in Israel.
Since October 2023, Check Point Research monitored Void Manticore’s activities targeting Israeli organizations with destructive attacks using wipers and ransomware. The group employs five different methods for disruptive operations, including custom wipers for both Windows and Linux operating systems, as well as manual deletion of files and shared drives.
Void Manticore’s activities in Israel are marked by the use of a custom wiper named “BiBi,” after Israeli Prime Minister Benjamin Netanyahu. The group also uses a persona named “Karma” to leak stolen information, portraying themselves as an anti-Zionist Jewish group. This persona gained prominence during the Israel-Hamas conflict in late 2023.
Void Manticore threat actor employs relatively simple and direct techniques, often using basic publicly available tools. Their operations typically involve lateral movements using Remote Desktop Protocol (RDP) and the manual deployment of wipers. One of their prominent tools is “Karma Shell,” a homebrewed web shell disguised as an error page. This malicious shell is capable of directory listing, process creation, file uploads, and service management.
The Destructive Wiper Capabilities of Void Manticore
Void Manticore utilizes various custom wipers in their attacks:
- Cl Wiper: First used in attacks against Albania, this wiper uses the ElRawDisk driver to interact with files and partitions, effectively erasing data by overwriting physical drives with predefined buffers.
- Partition Wipers: These wipers remove partition information, leading to the loss of all data on the disk by corrupting the partition table, resulting in a system crash during reboot.
- BiBi Wiper: Deployed in recent attacks against Israel, this wiper exists in both Linux and Windows variants. It corrupts files and renames them with specific extensions, causing significant data loss.
Apart from automated wipers, Void Manticore engages in manual data destruction using tools like Windows Explorer, SysInternals SDelete and the Windows Format utility, furthering their impact on targeted systems.
Psychological Warfare and Collaboration with Scarred Manticore
Void Manticore’s strategy also includes psychological operations, aiming to demoralize and disrupt their targets by publicly leaking sensitive information. This dual approach amplifies the impact of their cyberattacks, making them a formidable threat.
Notably, there is a significant overlap and cooperation between Void Manticore and another Iranian threat group, Scarred Manticore (aka Storm-861).
Analysis shows a systematic handoff of victims between these two groups. For instance, Scarred Manticore might establish initial access and exfiltrate data after which Void Manticore executes the destructive data wiping attack. This collaboration enables Void Manticore threat actor to leverage Scarred Manticore’s advanced capabilities and gain access to high-value targets.
“In the case of one victim, we discovered that after residing on the targeted network for over a year, Scarred Manticore was interacting with the infected machine at the exact moment a new web shell was dropped to disk. Following the shell’s deployment, a different set of IPs began accessing the network, suggesting the involvement of another actor – Void Manticore,” the researchers said.
“The newly deployed web shell and subsequent tools were significantly less sophisticated than those in Scarred Manticore’s arsenal. However, they led to the deployment of the BiBi wiper, which is linked to Karma’s activity.”
Void Manticore represents a significant cyber threat, particularly in the context of geopolitical tensions involving Iran. Iranian President Ebrahim Raisi died in a helicopter crash in a remote area of the country. Rescuers identified Raisi’s body early Monday after searching in the mountainous northwest near the Azerbaijan border.
Since his election in 2021, Raisi had tightened morality laws, cracked down on antigovernment protests and resisted international oversight of Tehran’s nuclear program. Israel’s war in Gaza has escalated conflicts with Iran-backed groups like Hezbollah in Lebanon and the Houthis in Yemen. Last month, Iran and Israel exchanged direct strikes. It is still unclear whether Raisi’s death is also linked to Israeli operations.
Meanwhile, the recent escalations meant that Void Manticore’s coordinated operations with Scarred Manticore, combines their dual approach of technical destruction and psychological manipulation and positions them as a highly dangerous actor. Their activities not only target infrastructure but also aim to influence public perception and political stability, underlining the multifaceted nature of modern cyber warfare.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
