Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

CL (Wiper) – Malware

May 21, 2024
Reading Time: 24 mins read
in Malware
CL  (Wiper) – Malware

Cl

Type of Malware

Wiper

Date of initial activity

2022

Country of Origin

Iran

Associated Groups

Void Manticore

Targeted Countries

Albania

Motivation

To cause significant disruption and destruction to targeted systems by deleting their files

Attack Vectors

Cl Wiper can be deployed through various methods, such as phishing emails, malicious websites, or exploiting vulnerabilities in software

Targeted System

Windows

Overview

The CL wiper is a destructive malware tool used by the Void Manticore threat actor, known for its capability to irreversibly erase data on infected systems. This wiper specifically targets the Master Boot Record (MBR) and other critical system components, rendering the affected machines completely inoperable. By overwriting crucial boot data and system files, the CL wiper ensures that the operating system cannot be loaded, effectively causing a denial of service. The use of such a tool by Void Manticore highlights their intent to not only disrupt operations but also to inflict maximum damage on targeted organizations, making data recovery extremely difficult and costly.

Targets

Albanian critical infrastructure, government entities, and large corporations

How they operate

The CL ransomware, employed by the Void Manticore threat actor, represents a sophisticated and destructive form of cyber extortion. This ransomware operates by first gaining access to the targeted system through various initial access methods such as phishing emails, malicious attachments, or exploiting vulnerabilities in software or operating systems. Once inside the system, the ransomware executes its payload, typically using obfuscation techniques to evade detection by security software. The malicious code then begins its primary task: encrypting the Master Boot Record (MBR) and other crucial system files to prevent the system from booting properly. Once the ransomware has successfully encrypted the MBR, it effectively hijacks the boot process. When the infected computer is restarted, the ransomware’s code intercepts the normal boot procedure, replacing it with its malicious payload. Instead of loading the operating system, the system displays a ransom note created by the ransomware, demanding payment from the victim in exchange for a decryption key. This ransom note often includes specific instructions on how to pay the ransom, usually in cryptocurrency, to maintain the attackers’ anonymity. The note may also contain threats, warning that failure to pay will result in the permanent loss of data. In addition to encrypting the MBR, CL ransomware may also target other critical files and directories, further crippling the victim’s system. The ransomware typically employs strong encryption algorithms, making it virtually impossible to decrypt the files without the unique key held by the attackers. This multi-layered attack strategy not only disrupts the victim’s ability to access their system but also increases the pressure to pay the ransom, as restoring the system without the decryption key becomes a formidable challenge. Preventing and mitigating the impact of CL ransomware requires a comprehensive cybersecurity strategy. Organizations must implement robust email filtering and web security solutions to block phishing attempts and malicious downloads. Keeping software and operating systems up to date with the latest security patches is essential to close vulnerabilities that ransomware can exploit. Additionally, regular backups of critical data are crucial; these backups should be stored offline or in a secure, isolated environment to prevent them from being encrypted by the ransomware. In the event of a CL ransomware infection, it is generally advised not to pay the ransom, as this does not guarantee data recovery and further encourages the cybercriminals. Instead, affected organizations should seek the assistance of cybersecurity specialists. These experts can help identify the specific ransomware variant, remove the malicious code, recover the MBR, and restore system functionality where possible. They can also perform a forensic analysis to determine how the ransomware infiltrated the system and provide recommendations to prevent future attacks.

MITRE tactics and techniques

Initial Access (TA0001): Phishing (T1566): Attackers use phishing emails with malicious attachments or links to deliver the ransomware payload. Drive-by Compromise (T1189): Victims unknowingly visit compromised websites that automatically download ransomware. Execution (TA0002): Malicious File Execution (T1204): The ransomware executes upon opening a malicious file or attachment. User Execution (T1204.002): Execution of malware by tricking the user into running the malicious file. Persistence (TA0003): Boot or Logon Autostart Execution (T1547): The ransomware ensures persistence by modifying the MBR, which is executed during the boot process. Privilege Escalation (TA0004): Exploitation for Privilege Escalation (T1068): The ransomware may exploit vulnerabilities to gain higher privileges. Defense Evasion (TA0005): Obfuscated Files or Information (T1027): Using crypters and packers to evade detection by security software. Modify Registry (T1112): Changing registry entries to disable security tools or alter system behavior. Indicator Removal on Host (T1070): Deleting logs and other artifacts to remove traces of the attack. Credential Access (TA0006): Credential Dumping (T1003): Accessing stored credentials to further the attack. Discovery (TA0007): System Information Discovery (T1082): Gathering information about the system to tailor the attack. File and Directory Discovery (T1083): Identifying important files and directories to target. Lateral Movement (TA0008): Remote File Copy (T1105): Copying malicious files to other systems on the network. Collection (TA0009): Data from Local System (T1005): Collecting files and data from the compromised system. Exfiltration (TA0010): Exfiltration Over C2 Channel (T1041): Sending collected data to Command and Control servers. Impact (TA0040): Data Encrypted for Impact (T1486): Encrypting files and the MBR to render the system unusable until a ransom is paid. Inhibit System Recovery (T1490): Disabling or deleting system recovery features to prevent the victim from easily restoring the system.
References:
  • Bad Karma, No Justice: Void Manticore Destructive Activities in Israel
  • Iranian State Actors Conduct Cyber Operations Against the Government of Albania
  • Microsoft investigates Iranian attacks against the Albanian government
Tags: AlbaniaClCritical InfrastructureGovernmentMalwareVoid Manticorewiper
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Venom Spiders More Eggs Malware Hits Hiring

Hazy Hawk Hijacks Cloud DNS For Web Scams

Fake Kling AI Sites Spread Malware To Users

W3LL Phishing Kit Steals Microsoft Logins

Windows 10 Intel BitLocker Bug Fixed

Zoom Phishing Attack Steals Corporate Logins

Subscribe to our newsletter

    Latest Incidents

    UK Peter Green Chilled Hit By Ransomware

    Cellcom Cyberattack Causes Service Outage

    Ohio Kettering Health Faces Cyberattack

    Belgian mobile customers’ data leaked

    Promises2Kids Data Breach Hits Foster Youth

    RVTools Compromised With a Trojanized Installer

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial