New BiBi-Windows Wiper Malware Emerges From Israel-Hamas Cyber War

New BiBi-Windows Wiper Malware Emerges From Israel-Hamas Cyber War

In a recent development, BlackBerry Research and Intelligence Team has identified a new and concerning cyber threat emerging from the ongoing Israel-Hamas conflict.

The discovery comes in the wake of an Israeli-based incident response company, SecurityJoes, revealing findings about a Linux wiper malware known as the BiBi-Linux Wiper, employed by pro-Hamas hacktivists.

A “wiper” is a form of malicious software that is designed to permanently erase or destroy data on a targeted system. Unlike ransomware, which encrypts files and requires payment to unlock them, a wiper exists solely to cause harm by wiping or overwriting data.

Following a Hamas terrorist attack on Israel on October 7, a suspected Hamas-affiliated hacktivist group targeted Israeli companies, compromising their networks and deploying the BiBi-Linux Wiper.

Unlike typical ransomware attacks, this malware, discovered by SecurityJoes, appeared to be a wiper, intended solely for causing data destruction.

The malware contained a notable detail: the nickname of the Israeli Prime Minister, Bibi (Benjamin Netanyahu), hardcoded in both the malware and the extension of every destroyed file.

The situation escalated when the BlackBerry Research and Intelligence Team identified a variant of the BiBi-Linux Wiper designed to target Windows systems.

This variant, labeled the BiBi-Windows Wiper, signifies an expansion of the attack to include end-user machines and application servers.

Technical Analysis of BiBi-Windows Wiper

Attribute Details
MD5 e26bba0304f14ef96beb60376791d32c
SHA256 40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17
File Name bibi.exe
File Size 203.00 KB (207,872 bytes)
File Type Win PE x64
Compiler Visual Studio (2019)
Infection Vector Unknown
File Extensions .exe, .dll, .sys
Wiping Process Fills files with random bytes, renames with a random sequence, and adds BiBi1 to BiBi5 extension
Shadow Copies Deleted from the system
Error Recovery Disabled on startup
Windows Recovery Disabled
Command Technique Right-to-left storage to evade antivirus detection
Dependency Relies on Restart Manager (Rstrtmgr.dll)

 

The timestamp on the BiBi-Windows Wiper suggests it was compiled on October 21, 2023, just 14 days after the initial terrorist attack. This x64 Windows portable executable (PE) is compiled using Visual Studio 2019.

Operation and Impact

While the infection vector remains unknown, once executed, the BiBi-Windows Wiper checks the system’s processor architecture and thread count.

To maximize destruction, the malware runs 12 threads with eight processor cores. The wiper destroys all files except those with essential extensions (.exe, .dll, and .sys).

The wiping process renders files unusable and unrecoverable, renaming them with a random sequence of letters followed by the extension BiBi1 to BiBi5.

The malware goes further by deleting shadow copies, disabling the system’s error recovery screen, and turning off the Windows Recovery feature.

All commands are stored with a right-to-left technique to evade simple pattern detection rules used by legacy antivirus products.

As the Israel-Hamas conflict intensifies, the emergence of cyber threats like the BiBi-Windows Wiper underscores the extension of warfare into the digital realm.

Wipers, which are intended for destruction rather than financial gain, have become a troubling tool in the midst of geopolitical crises. The developing nature of this cyber threat suggests that more such attacks may occur as the battle continues.

As the physical and digital boundaries converge, cybersecurity becomes an increasingly important part of modern combat.