Hacker Uncovers New Version of BiBi Viper

The new version of Mavlari BiBi erases the disk partition table, which further complicates data recovery and increases the downtime of attacked computers, analysts warn Check Point.

BiBi Wiper was first discovered by SecurityJoes in October 2023. They wrote that the malware was most likely deployed by pro-Hamas hackers with the goal of causing irreversible data damage. Shortly after, Israel's CERT warned that attacks on Israeli computers to destroy data were becoming more frequent, and BiBi was being used in attacks against critical organizations in the country.

Advertisement

As Check Point experts now report, the viper attacks on Israel and Albania are linked to the Iranian-backed hack group Void Manticore (Storm-842). The report also notes similarities between Void Manticore's operations and another Iranian group, Scarred Manticore, suggesting cooperation between them.

In addition, researchers report that they have discovered not only new variants of the BiBi wiper, but also two other custom wipers used by the same group – Cl Wiper and Partition Wiper.

CheckPoint analysts believe that Void Manticore is masquerading as the hacktivist group Karma on Telegram, which emerged after the Hamas attack on Israel last October. To date, Karma has reported attacks on 40 Israeli organizations, publishing stolen data or evidence of destroyed disks on Telegram.

Interestingly, in some cases, Void Manticore received control of the victims' infrastructure from the already mentioned Scarred Manticore group. This group focuses on gaining initial access, mainly exploiting the vulnerability CVE-2019-0604 in Microsoft Sharepoint and then does lateral movement through SMB and collecting emails. The hacked organizations were then handed over to Void Manticore, which injected payloads, carried out lateral movement across the network, and deployed wipers on victims’ systems.

Advertisement

The report states that Void Manticore uses a variety of tools for its attacks, including web shells, manual data removal tools, custom wipers, and credential verification tools.

The first payload deployed to the compromised web server is Karma Shell. It is a custom web shell disguised as an error page that can list directories, create processes, upload files, and manage services.

Commands supported by Karma Shell

In turn, new versions of BiBi Wiper, discovered by Check Point, damage non-system files with random data and add a randomly generated extension to them, which necessarily contains the string “BiBi”.

There are versions of BiBi for Linux and Windows, and each of them has its own characteristics and minor differences in operation. For example, on Linux, BiBi launches multiple threads depending on the number of available processor cores to speed up the data erasing process. And on Windows, the viper skips .sys, .exe and .dll files to prevent the system from rebooting.

Compared to previous versions of the malware, the new variants target only Israeli systems, do not delete shadow copies, and do not disable the Error Recovery screen. However, they now delete the disk partition table.

As for CI Wiper, which was first seen attacking Albanian systems, it uses the ElRawDisk driver to perform data erasure by overwriting the contents of the disk with a predefined buffer.

Partition Wiper, as its name suggests, also specifically targets the partition table, which makes data recovery more difficult due to the inability to restore the disk layout.

Advertisement