Iranian MOIS Linked Hackers have been identified as responsible for recent destructive cyber attacks on Albania and Israel 😓
These findings reveal that an Iranian cyber threat actor associated with the Ministry of Intelligence and Security (MOIS) is behind these attacks, operating under the aliases Homeland Justice and Karma, respectively.
The cybersecurity firm Check Point has been monitoring this activity, identifying it as Void Manticore, also recognized by Microsoft as Storm-0842 (formerly DEV-0842).
Also Read : Emergence of Latrodectus Malware Loader as IcedID’s Successor in Phishing Campaigns
Connection Between Threat Actors
There are significant overlaps between the targets of Void Manticore and another group, Scarred Manticore.
Evidence suggests a systematic transfer of targets between these two groups, especially when conducting destructive activities against existing victims of Scarred Manticore.
This coordination highlights a high degree of collaboration between the two threat actors.
Attacks on Albania by the Iranian MOIS Linked Hackers
Since July 2022, the group known as Homeland Justice has been executing disruptive cyber attacks on Albania.
These attacks involve the deployment of custom wiper malware, including Cl Wiper and No-Justice (also known as LowEraser).
The objective of these attacks is to cause significant disruption by wiping data from targeted systems.
Attacks on Israel by the Iranian MOIS Linked Hackers
Following the Israel-Hamas conflict in October 2023, similar wiper malware attacks have been reported in Israel.
These attacks target both Windows and Linux systems, utilizing a custom wiper known as BiBi.
The pro-Hamas hacktivist group responsible for these attacks operates under the name Karma.
Cybersecurity Techniques
The attack chains orchestrated by Void Manticore are notably straightforward.
They typically leverage publicly available tools and utilize protocols such as Remote Desktop Protocol (RDP), Server Message Block (SMB), and File Transfer Protocol (FTP) for lateral movement before deploying malware.
Initial access is often gained by exploiting known security vulnerabilities in internet-facing applications, such as CVE-2019-0604.
Lateral Movement and Malware Deployment
Once a foothold is established, the attackers deploy web shells, including a custom shell called Karma Shell.
This shell masquerades as an error page but is capable of directory enumeration, process creation, file uploading, and managing services.
Void Manticore is believed to use access previously obtained by Scarred Manticore (also known as Storm-0861) to carry out its intrusions, indicating a handoff procedure between the two groups.
Iranian Coordination and Cooperation
Microsoft’s investigation into the attacks on Albanian governments in 2022 revealed that multiple Iranian actors were involved, each responsible for different phases of the attacks.
These phases included gaining initial access, exfiltrating data, deploying ransomware and wiper malware, and probing victim infrastructure.
This detailed coordination underscores the sophisticated nature of these operations.
Conclusion
The destructive cyber attacks by Iranian MOIS-linked hackers on Albania and Israel demonstrate a high level of coordination and capability.
The use of wiper malware and the strategic handoff of targets between different threat actors highlight the sophistication of these operations.
As these attacks continue to evolve, it is crucial for cybersecurity professionals to stay informed and vigilant to mitigate the threats posed by groups like Void Manticore.
If you found these security learnings valuable, don’t miss out on more exclusive content. Follow us on Twitter and Instagram to stay informed about emerging threats and developments.
Check out the Cyber Safety Section and Subscribe our Newsletter, Join our community and gain access to the latest cybersecurity trends to bolster your defense against evolving threats & associated risks 🙂