Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel


An Iranian threat actor affiliated with one of the Iranian intelligence agencies has been observed conducting destructive wiping attacks that target Albania and Israel. Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also known as Storm-842 (formerly DEV-0842) by Microsoft. The techniques, tactics, and procedures (TTPs) employed by Void Manticore are relatively straightforward and simple, involving hands-on efforts using basic, mostly publicly available tools. They often perform lateral movements using Remote Desktop Protocol (RDP) and typically deploy their wipers manually while conducting other manual deletion operations. The collaboration with Scarred Manticore, which appears to be a more sophisticated actor, has likely facilitated Void Manticore’s access to high-value targets. In the case of one victim, we discovered that after residing on the targeted network for over a year, Scarred Manticore was interacting with the infected machine at the exact moment a new web shell was dropped to disk. Following the shell’s deployment, a different set of IPs began accessing the network, suggesting the involvement of another actor, Void Manticore.

Void Manticore’s TTPs are straightforward and aligned with their goal of quick and dirty destructive operations. Void Manticore’s access was established through an internet-facing web server, on which the group utilized various web shells. Among those was “Karma Shell”, which appears to be a custom tool which masquerades as an error page. It can list directories, create processes, upload files, and start/stop/list services. One notable activity we observed in Void Manticore is the uploading of a tailor-made executable file, do.exe. This file checks authentication for Domain Admin credentials. If the authentication is successful, the executable copies another web shell, a publicly available reGeorge, to the web directory, indicating the credentials are valid. After deploying the reGeorge tunneling web shell, the actor continues to move laterally using RDP and collects information about target networks using SysInternal’s AD Explorer. Some of Void Manticore’s wipers target and destroy the files themselves, corrupting specific files or file types within the infected systems which allows the malware to selectively erase critical information to disrupt system functionality. In addition to deploying custom wipers, the group singles out victims for manual data-destruction activities using “seemingly” legitimate utilities like File Deletion via Windows Explorer, SysInternals SDelete, and Windows Format Utility.

Check Point Researchers note that “Void Manticore’s use of distinct online personas, notably “Homeland Justice” and “Karma,” plays a significant role in their strategy. The personas allow them to tailor their messaging in an attempt to effectively weaponize political tensions. The deployment of the custom BiBi wiper in their operations against Israeli targets showcases their intent to not only cause direct damage but also to send a politically charged message”.

Security Officer Comments:
Void Manticore’s operations are characterized by their dual approach, combining psychological warfare with actual data destruction by utilizing wiping attacks and publicly leaking information. A notable aspect of this threat group is that Storm-0861 (Scarred Manticore) is assessed to be a subordinate element within APT34 (aka Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, and OilRig), an Iranian nation-state group known for the Shamoon and ZeroCleare wiper malware. The technique overlap and the collaboration between the two different actors suggest that handing off targets between the groups is a coordinated and routine process. The overlaps prompted the Check Point team to further analyze the connection between Karma and Scarred Manticore. Their findings led us to the activities of another actor we refer to as Void Manticore, who likely operates the Karma persona and utilizes access previously obtained by Scarred Manticore.

Suggested Corrections:
Check Point has published relevant IOCs and YARA rules for these attacks here.