In a recent development, BlackBerry Research and Intelligence Team has identified a new and concerning cyber threat emerging from the ongoing Israel-Hamas conflict.
The discovery comes in the wake of an Israeli-based incident response company, SecurityJoes, revealing findings about a Linux wiper malware known as the BiBi-Linux Wiper, employed by pro-Hamas hacktivists.
A “wiper” is a form of malicious software that is designed to permanently erase or destroy data on a targeted system. Unlike ransomware, which encrypts files and requires payment to unlock them, a wiper exists solely to cause harm by wiping or overwriting data.
Following a Hamas terrorist attack on Israel on October 7, a suspected Hamas-affiliated hacktivist group targeted Israeli companies, compromising their networks and deploying the BiBi-Linux Wiper.
Unlike typical ransomware attacks, this malware, discovered by SecurityJoes, appeared to be a wiper, intended solely for causing data destruction.
The malware contained a notable detail: the nickname of the Israeli Prime Minister, Bibi (Benjamin Netanyahu), hardcoded in both the malware and the extension of every destroyed file.
The situation escalated when the BlackBerry Research and Intelligence Team identified a variant of the BiBi-Linux Wiper designed to target Windows systems.
This variant, labeled the BiBi-Windows Wiper, signifies an expansion of the attack to include end-user machines and application servers.
Technical Analysis of BiBi-Windows Wiper
| Attribute | Details |
|---|---|
| MD5 | e26bba0304f14ef96beb60376791d32c |
| SHA256 | 40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17 |
| File Name | bibi.exe |
| File Size | 203.00 KB (207,872 bytes) |
| File Type | Win PE x64 |
| Compiler | Visual Studio (2019) |
| Infection Vector | Unknown |
| File Extensions | .exe, .dll, .sys |
| Wiping Process | Fills files with random bytes, renames with a random sequence, and adds BiBi1 to BiBi5 extension |
| Shadow Copies | Deleted from the system |
| Error Recovery | Disabled on startup |
| Windows Recovery | Disabled |
| Command Technique | Right-to-left storage to evade antivirus detection |
| Dependency | Relies on Restart Manager (Rstrtmgr.dll) |
The timestamp on the BiBi-Windows Wiper suggests it was compiled on October 21, 2023, just 14 days after the initial terrorist attack. This x64 Windows portable executable (PE) is compiled using Visual Studio 2019.
Operation and Impact
While the infection vector remains unknown, once executed, the BiBi-Windows Wiper checks the system’s processor architecture and thread count.
To maximize destruction, the malware runs 12 threads with eight processor cores. The wiper destroys all files except those with essential extensions (.exe, .dll, and .sys).
The wiping process renders files unusable and unrecoverable, renaming them with a random sequence of letters followed by the extension BiBi1 to BiBi5.
The malware goes further by deleting shadow copies, disabling the system’s error recovery screen, and turning off the Windows Recovery feature.
All commands are stored with a right-to-left technique to evade simple pattern detection rules used by legacy antivirus products.
As the Israel-Hamas conflict intensifies, the emergence of cyber threats like the BiBi-Windows Wiper underscores the extension of warfare into the digital realm.
Wipers, which are intended for destruction rather than financial gain, have become a troubling tool in the midst of geopolitical crises. The developing nature of this cyber threat suggests that more such attacks may occur as the battle continues.
As the physical and digital boundaries converge, cybersecurity becomes an increasingly important part of modern combat.
