BiBi-Linux wiper targets Israeli companies

Attackers have started using new wiper malware called BiBi-Linux to attack Israeli companies and destroy their data.

The BiBi-Linux wiper

The Security Joes Incident Response team found the malware during a forensics investigation of a breach within an Israeli company.

“This malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions,” Security Joes researchers noted.

“During execution, it produces extensive [terminal] output, which can be mitigated using the ‘nohup’ command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach.”

The wiper first overwrites the files’ content with random data and then it renames them and adds an extension that includes the substring “BiBi” (Bibi is the nickname for Israeli Prime Minister Benjamin Netanyahu). It does not affect .out or .so file types (.so are needed by Unix/Linux operating systems to function).

No ransom note is shown, and the malware does not use reversible encryption algorithms and does not establish C2 communication to exfiltrate data. It all points to this being a purely destructive effort.

“What particularly caught our attention was the fact that the analyzed binary had never been documented before. As of the writing of this report, it has only received two detections on VirusTotal. This indicates that the malware is relatively new and not widely distributed yet,” the researchers said.

They have also published IoCs, Yara rules and TTPs for the investigated wiper sample.

Wiper attacks

Pro-Palestinian hacktivists have lately expanded their attacks to target not only Israeli objectives but also countries considered to be Israeli allies.

Wiper malware has also been widely used by Russian hackers to target Ukrainian companies, government organizations and critical infrastructure.

Attackers deploying wipers generally do not have a financial interest in mind, but aim to wipe as much data as possible and destroy operating systems.

UPDATE (November 14, 2023, 10:30 a.m. ET):

The BlackBerry Research and Intelligence Team has found a new variant of the BiBi wiper malware that targets Windows systems. They named it BiBi-Windows Wiper.

“The malware sample is a x64 Windows portable executable (PE) compiled using Visual Studio 2019, with a file size of 203KB,” they noted.

“While the infection vector is currently unknown, once the implant is executed, it checks the processor architecture and the number of threads in the intended victim’s system. For the fastest possible destruction action, the malware runs 12 threads with eight processor cores. During execution, the wiper outputs the result to the console.”

BiBi-Windows wiper does not affect files with .exe, .dll, and .sys extensions as the computer needs them to function properly.

It first fills the targeted files with random bytes to make them unusable, then renames them using a random sequence of letters, and finally adds the BiBi extension.

It also deletes shadow copies (i.e., snapshots of computer files or volumes), disables the Error Recovery screen on startup, and turns off the Windows Recovery feature.