Void Manticore Attack Detection: Iranian Hackers Launch Destructive Cyber Attacks Against Israel

[post-views]
May 21, 2024 · 5 min read
Void Manticore Attack Detection: Iranian Hackers Launch Destructive Cyber Attacks Against Israel

Defenders have uncovered the increasing malicious activity of the Void Manticore group linked to Iran’s Ministry of Intelligence and Security (MOIS). Adversaries, also known as Storm-842, are behind a series of destructive cyber attacks against Israel. Void Manticore is also tracked under the monikers Homeland Justice and Karma, expanding the scope of its intrusions beyond Israel.

Detect Void Manticore (aka Storm-842 or Karma) Activity

During 2023-2024, the activity of nation-backed hacking collectives significantly escalated, reflecting the impact of intensifying geopolitical regional disputes globally. With the rapid adoption of the new TTPs and the growing number of ongoing malicious campaigns, security professionals are seeking reliable tools to advance their threat detection and hunting routines. 

The latest nefarious campaign in the spotlight involves the Void Manticore APT, which has been continuously targeting Israel and Albania to serve the political interests of Iran. To help cyber defenders spot related malicious activity at the earliest stages of the attack development, SOC Prime Platform for collective cyber defense aggregates a set of curated Sigma rules addressing the latest Void Manticore attacks, including those leveraging BiBi wiper. Hit the Explore Detections button below and immediately drill down to the detection stack.

Explore Detections

All the detection rules are compatible with 30+ SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK framework. Additionally, to streamline threat investigation, algorithms are enriched with extensive metadata, including CTI links, ATT&CK references, triage recommendations, and more.

Security professionals seeking additional detection content to analyze Void Manticore’s activity retrospectively can browse SOC Prime’s Threat Detection Marketplace using the “Void Manticore,” “Storm-842,” and “Karma” tags.

Void Manticore Activity Analysis

Iran-linked state-sponsored hacking collectives, like Agonizing Serpens, are posing increasing challenges to defenders, with Israeli organizations among their primary targets. Another Iranian nation-backed collective tracked as Void Manticore, aka Storm-842, comes to the spotlight. The hacking collective has been involved in notorious wiping campaigns along with influence operations against Israel. Operating under the moniker Homeland Justice, the group has been observed in attacks against Albania, while another group’s persona, Karma, has been linked to adversary campaigns against Israel.

Check Point Researches have been actively tracking nation-backed APTs attacking Israeli institutions leveraging data-wiping malware and ransomware since mid-fall 2023. Among the mentioned state-sponsored threats, Void Manticore represents an Iran-affiliated hacking collective notorious for launching massive attacks and stealing sensitive info under the moniker Karma. In Israel, the group’s attacks are marked by the use of the custom BiBi Wiper, named after Israeli Prime Minister Benjamin Netanyahu. The latter was employed in multiple campaigns targeting a set of Israeli organizations, with both Windows- and Linux-based iterations.

The deep dive into Void Manticore’s behavioral patterns and data dumps unveils a significant overlap in victim profiles with Scarred Manticore (aka Storm-861), which indicates a possible collaboration between the two nation-backed hacking groups. Void Manticore’s TTPs are relatively basic and straightforward, relying on hands-on methods, mostly using open-source utilities. Adversaries frequently move laterally within the compromised network via RDP before malware deployment. At further attack stages, they coomonly manually deploy their wiping malware while conducting other manual deletion tasks. Coordinating efforts with the more advanced Scarred Manticore group likely enhances Void Manticore’s capability to launch high-profile attacks. Notably, Storm-0861 is considered to be a subcluster of APT34, another Iranian state-sponsored group notable for deploying the Shamoon and ZeroCleare wiper malware.

After gaining a successful foothold, Void Manticore proceeds to the deployment of web shells, including a custom one known as Karma Shell, disguised as an error page. Adversaries employ custom wiping malware in their intrusions. Some of these wipers target and destroy specific files or file types within impacted systems, causing focused damage. Other types of wipers attack the system’s partition table rather than deleting data selectively, essentially removing the map used by the OS to locate and access data. 

Apart from leveraging custom data-wiping malware, the group targets victims for manual data destruction using apparently legitimate utilities, like File Deletion via Windows Explore, SysInternals SDelete, and Windows Format Utility.

Void Manticore’s campaigns involve a two-pronged strategy, blending psychological warfare with tangible data destruction. They accomplish this by employing nefarious data-wiping attacks and publicly disclosing information, thereby intensifying the impact on the targets.

With the growing risks of destructive attacks attributed to Void Manticore and their tendency to effectively exploit political disputes, the group’s malicious activity poses an increasing menace to the global cyber defender community as part of Iran’s escalating offensive activity against Israel and Albania. Coordinating efforts with Storm-0861 enables Void Manticore to reach a broader range of targets, which places the latter as an extremely perilous actor within the cyber threat arena. SOC Prime equips defenders with the complete product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation to facilitate proactive cyber defense against continuously escalating risks and remediate emerging threats in the least time possible.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts