Cybersecurity experts have uncovered a significant development in the evolving landscape of cyber warfare. Originally observed as a Linux-based threat in the Israel-Hamas war, the notorious BiBi wiper malware has now extended its reach to Windows systems, posing a heightened risk to end-user machines and application servers.
The BiBi-Linux Wiper was initially identified by Israeli incident response company SecurityJoes on October 30, shedding light on its usage by pro-Hamas hacktivists. This Linux variant was strategically deployed in a series of cyber attacks against Israeli companies following a physical terrorist attack by Hamas on October 7. Unlike traditional ransomware, the BiBi-Linux malware operated as a wiper, designed with the sole intent of causing widespread data destruction.
SecurityJoes revealed that the malware contained a hardcoded reference to the commonly-used nickname of the Israeli Prime Minister, “Bibi” (Benjamin Netanyahu), adding a layer of geopolitical context to the cyber threat. Analysts speculate that the wiper may have been crafted by a group affiliated with Hamas, seeking to exploit the chaos of the ongoing conflict.
BlackBerry Research and Intelligence Team discovered a variant of the BiBi wiper tailored for Windows systems, aptly named the BiBi-Windows Wiper. This development underscores the adaptability and persistence of the threat actors, as they expand their targets to include a broader range of machines, particularly those running on the widely used Windows operating system.
Technical Insights into BiBi-Windows Wiper
MD5: e26bba0304f14ef96beb60376791d32c
SHA256: 40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17
File Name: bibi.exe
File Size: 203.00 KB (207,872 bytes)
File Type: Win PE x64
Compiler: Visual Studio (2019)
The BiBi-Windows Wiper, compiled on October 21, 2023, just 14 days after the initial terror attack by Hamas, operates as a Windows portable executable (PE) utilizing Visual Studio 2019. With a file size of 203KB, the malware checks the processor architecture and number of threads in the victim’s system upon execution. To maximize destruction speed, the wiper runs 12 threads with eight processor cores, providing a swift and efficient means of carrying out its destructive mission.
While the infection vector remains unknown, the malware excludes files with .exe, .dll, and .sys extensions from destruction, as these are essential for the system’s operation. The wiping process renders targeted files unusable by filling them with random bytes and renaming them to a random sequence of letters followed by the extension BiBi1 through BiBi5.
Moreover, the BiBi-Windows Wiper systematically eliminates shadow copies from the system, preventing file recovery unless users have an offline backup. It employs command-line instructions to delete shadow copies and disables the system’s trigger for the Error Recovery screen on startup. Additionally, the malware turns off the Windows Recovery feature, further complicating the recovery process.
Notably, the use of a right-to-left technique in storing CMD commands helps the malware evade detection by traditional antivirus products employing simple pattern detection rules.
As cybersecurity experts continue to unravel the complexities of the BiBi-Windows Wiper, the evolution of this malware underscores the dynamic nature of cyber threats and the imperative for robust cybersecurity measures to safeguard critical systems and data.