BiBi Wiper Malware Now Destroys Disk Partition Table

A new version of the BiBi Wiper malware has emerged, now targeting the disk partition table to complicate data restoration and extend downtime for affected victims.

The attacks, linked to the suspected Iranian hacking group ‘Void Manticore’ (Storm-842), are believed to be associated with Iran’s Ministry of Intelligence and Security (MOIS). The malware has primarily targeted Israel and Albania.

BiBi Wiper was first identified in October 2023, leading Israel’s CERT to issue an alert in November 2023 about large-scale cyberattacks on critical organizations.

A new report reveals updated variants of BiBi Wiper and two other custom wipers, Cl Wiper and Partition Wiper, used by the same threat group. The report also notes operational overlaps between Void Manticore and another Iranian group, ‘Scarred Manticore,’ indicating potential collaboration.

Void Manticore may operate under the ‘Karma’ hacktivism group on Telegram, which emerged after the Hamas attack on Israel in October. Karma has claimed attacks on over 40 Israeli organizations, sharing stolen data or evidence of wiped drives on Telegram to amplify the impact.

For the Albanian attacks, the persona ‘Homeland Justice’ has leaked stolen files on Telegram. This tactic is similar to Sandworm (APT44), which uses hacktivist-branded Telegram channels to hide its operations.

Void Manticore has sometimes transferred control of compromised infrastructure to Scarred Manticore. Scarred Manticore typically gains initial access through the Microsoft SharePoint CVE-2019-0604 flaw, performs SMB lateral movement, and harvests emails. Void Manticore then handles payload injection, lateral movement, and deploying data wipers.

The tools used by Void Manticore include web shells, manual deletion tools, custom wipers, and credential verification tools. The initial payload, Karma Shell, is a custom web shell disguised as an error page capable of listing directories, creating processes, uploading files, and managing services.

The analysis of newer BiBi Wiper versions shows that they corrupt non-system files with random data and append a “BiBi” string to the file extension. BiBi has both Linux and Windows variants, with unique characteristics for each OS. For instance, on Linux, it uses multiple CPU threads to expedite the wiping process, while on Windows, it avoids deleting .sys, .exe, and .dll files to keep the system bootable.

Unlike previous versions, the latest BiBi Wiper variants only target Israeli systems, do not delete shadow copies, and do not disable the Error Recovery screen. However, they now remove partition information from the disk, complicating data recovery.

CI Wiper, first observed in attacks on Albanian systems, uses the ‘ElRawDisk’ driver to overwrite physical drive contents. Partition Wiper specifically targets the partition table, making the disk layout irrecoverable and maximizing damage.

These attacks often result in blue screen of death (BSOD) errors or system crashes upon reboot, affecting both the Master Boot Record (MBR) and GUID Partition Table (GPT) partitions.

Organizations can safeguard against BiBi Wiper and similar malware by ensuring robust backup strategies, including offline backups, to facilitate data recovery in the event of an attack. Employing advanced endpoint protection solutions that can detect and respond to unusual activities, such as unauthorized partition table modifications, is crucial. Regularly updating software and conducting security audits can help identify and mitigate vulnerabilities before they are exploited.