Analysis Summary

Destructive wiping attacks against Albania and Israel have been linked to an Iranian threat actor associated with the Ministry of Intelligence and Security (MOIS), operating under the aliases Homeland Justice and Karma, respectively. Void Manticore, also known as Storm-0842, is the name under which researchers are monitoring the activities.

Cybersecurity analysts said, “There are clear overlaps between the targets of Void Manticore and Scarred Manticore, with indications of systematic handoff of targets between those two groups when deciding to conduct destructive activities against existing victims of Scarred Manticore.”

Under the alias Homeland Justice, the threat actor has been well-known for its disruptive cyberattacks against Albania since July 2022. These attacks make use of specially designed wiper malware known as Cl Wiper and No-Justice (also known as LowEraser). After the Israel-Palestine war in October 2023, similar wiper malware attacks employing another customer wiper dubbed BiBi also attacked Windows and Linux computers in Israel. Karma is the name of this hacktivist group.

The threat group primarily uses publicly available tools like File Transfer Protocol (FTP), Server Message Block (SMB), and Remote Desktop Protocol (RDP) for lateral movement before deploying malware in their attack chains, which are uncomplicated and easy to follow. Sometimes the first step toward gaining access is by taking advantage of vulnerabilities in internet-facing apps that are already known to exist, such as CVE-2019-0604.

Upon gaining a firm foothold, web shells are implemented, such as the Karma Shell, a custom-built tool that appears as an error page but can display folders, create processes, upload files, and start, stop, and list services. It is believed that Void Manticore is carrying out its incursions by utilizing access that Scarred Manticore (also known as Storm-0861) had previously acquired, highlighting a handoff process between the two threat actors.

Microsoft previously emphasized this high level of collaboration in its investigation into attacks that targeted the governments of Albania in 2022, stating that various Iranian actors participated in it and that they were accountable for different phases; initial access was obtained by Storm-0861, who exfiltrated data. Storm-0842 released the wiper virus and ransomware, Storm-0166 stole information, and Storm-0133 examined the victim's network.

Not to be overlooked is the fact that Storm-0861 is considered to be a subordinate member of APT34, an Iranian nation-state group best known for the wiper malware programs ZeroCleare and Shamoon, also known as Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, and OilRig.

The similarities between the tactics used in the attacks on Israel and Albania, as well as the coordination between the two distinct actors, indicate that this process has grown accustomed. The activities of Void Manticore are distinguished by their dual strategy, which combines real data destruction with psychological warfare. They accomplish this by using information leaks and wipe attacks, which intensify the damage to the targeted firms.

Impact

• Data Loss
• Exposure of Sensitive Data
• Unauthorized Access
• File Manipulation

Indicators of Compromise

MD5

• 4804d09f713ac41c6971083d0c10facb
• cdf7bd4489e156d29af9e73a7dd3d160

SHA-256

• 85fa58cc8c4560adb955ba0ae9b9d6cab2c381d10dbd42a0bceb8b62a92b7636
• 74d8d60e900f931526a911b7157511377c0a298af986d42d373f51aac4f362f6

SHA-1

• 85b5802f703f3ee049cbde1a2f6ccb3301705c45
• 61e11f9b6d1632cc3d490fac3afa326c59ce4321

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Educate potential targets on the risks associated with engaging in online conversations with unknown individuals, especially on social media platforms.
• Encourage individuals to use secure communication tools and platforms that offer end-to-end encryption to protect sensitive information.
• Conduct phishing awareness training to help them recognize and avoid social engineering attacks, such as deceptive messages and links.
• Advise users to enable MFA on their accounts to add an extra layer of protection against unauthorized access.
• Ensure that all devices and software used are up to date with the latest security patches to mitigate vulnerabilities.
• Train individuals to be cautious when interacting with unknown individuals online and to be vigilant about unusual or suspicious requests.
• Implement network monitoring and intrusion detection systems to detect any unauthorized access attempts or unusual activities.
• Recommend the use of secure messaging and communication platforms that offer end-to-end encryption and protect conversations from interception.