FacebookTwitterLinkedIn

BiBi Wiper Now Destroys Disk Partition Table

Karolis Liucveikis Written by on

Security researchers at security firm Check Point Research have discovered a new version of the BiBi wiper malware that now includes destroying disk partition drives, making any recovery process far more complex.

Wiper malware is designed to cause permanent damage to both data and hardware, making continued use of a machine challenging to near impossible, depending on the extent of the damage.

These tools have been a favorite of Iranian state-sponsored groups looking to further the country's geopolitical aims. In recent years, their use has also increased in active war zones like Ukraine.

BiBi Wiper Now Destroys Disk Partition Table

BiBi wiper was first discovered in October 2023 and was used in attacks against Israeli and Albanian targets. Attacks against Israeli targets included attacks on critical infrastructure, which were believed at the time to form part of a much wider cyber offensive.

BiBi wiper has been attributed to a suspected Iranian hacking group named 'Void Manticore' (Storm-842), which is believed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS).

The research published by Check Point recently noted that Void Manticore was using the BiBi wiper and two other malware wipers as part of their toolkit. Researchers noted, regarding BiBi Wiper, that,

In their most recent attacks, Void Manticore used a custom wiper called the BiBi wiper, referencing the nickname of Israel’s prime minister, Benjamin Netanyahu. The wiper was deployed in several campaigns against multiple entities in Israel and has variants for both Linux and Windows.

Regarding the Linux variant, researchers noted,

BiBi Wiper can receive command-line parameters such as the target_path(which is “/” by default). The wiper uses several threads, based on the number of CPU cores, for the wiping process and employs a queue to synchronize between them. It then corrupts the files with buffers of random data and renames the infected files with random names and the “.BiBi” extension ([RANDOM_NAME].BiBi[NUMBER])...Interestingly, BiBi Wiper doesn’t infect files with the extensions “.out” and “.so”, likely because it relies on files with those extensions (like bibi-linux.out) and other libraries essential for the OS and to keep the process running.

While the Windows version differs from the Linux version in several notable ways, including:

  • In the Windows variant, the extension for the wiped files is “.BiBi”.
  • The Windows variant deletes shadow copies from the system with the commands:
    1. cmd.exe /c  vssadmin delete   shadows /quIet /all
    2. cmd.exe /c wmic shadowcopy delete
  • The Windows variant disables the system’s trigger to call the Error Recovery screen on startup with the command cmd.exe / c bcdedit / set {default} bootstatuspolicy ignoreallfailures and then turns it off with the command cmd.exe /c bcdedit /set {default} recoveryenabled no.
  • All the command strings are stored in reverse

Void Manticore Tactics and Techniques

Check Point has been tracking Void Manticore operations since October 2023. The group is primarily known for distributing wiper malware and ransomware. It has also been seen leaking confidential data stolen during attack campaigns under the hacktivist pseudonym Karma, sometimes spelled KarMa.

Void Manticore's activities extend beyond Israel. The group has also executed attacks in Albania using the pseudonym Homeland Justice to leak some of the collected data. As mentioned previously, attacks targeting Israel are distinguished by the utilization of the custom BiBi wiper, named after Israeli Prime Minister Benjamin Netanyahu.

Check Point's analysis of Void Manticore's intrusions and information leaks reveals a significant overlap in victimology with Scarred Manticore, suggesting a collaboration between the two groups.

Researchers identified a clear "handoff" procedure for victims from Scarred Manticore to Void Manticore, in some instances, between the two groups. This phenomenon is evident in several cases involving victims in both Israel and Albania, indicating that cooperation between the threat actors extends beyond single operations or incidents.

The techniques, tactics, and procedures (TTPs) employed by Void Manticore are relatively straightforward and simple, often involving hands-on efforts using basic and mostly publicly available tools. They usually perform lateral movements using Remote Desktop Protocol (RDP) and typically deploy their wipers manually while conducting other manual deletion operations to help ensure.

The collaboration with Scarred Manticore, which appears to be a more sophisticated actor, has likely facilitated Void Manticore's access to high-value targets, fundamentally increasing the potential threat targets face when in Void Manticore's sights.

Researchers concluded,

Void Manticore’s use of distinct online personas, notably “Homeland Justice” and “Karma,” plays a significant role in their strategy. The personas allow them to tailor their messaging in an attempt to effectively weaponize political tensions. The deployment of the custom BiBi wiper in their operations against Israeli targets showcases their intent to not only cause direct damage but also to send a politically charged message.

And,

The collaboration between Void Manticore and Scarred Manticore reveals a high degree of coordination within their operations. The documented handoff procedures between these groups suggest a consistent level of planning and allow Void Manticore access to a wider set of targets, facilitated by their counterparts’ advanced capabilities. This cooperation positions Void Manticore as an exceptionally dangerous actor within the Iranian threat landscape.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog