BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group

Cyber Security Threat Summary:
Researchers at Security Joes have uncovered a new Linux Wiper malware dubbed “BiBi-Linux Wiper,” being used by a pro-Hamas Hacktivist group to target Israeli entities in the ongoing Israeli-Hamas conflict. BiBi-Linux Wiper is an x64 ELF executable that is designed to render files unusable by overwriting their contents, further appending targeted files with an extension that uses the following structure “[RANDOM_NAME].BiBi[NUMBER].” According to Security Joes, the wiper lacks obfuscation, packing, or any protective measures. When it comes to customization, the wiper is limited in options, solely allowing threat actors to specify target folders via command line parameters.

Security Officer Comments:
Despite the lack of protective measures and customizability, wipers like BiBi-Linux can be very destructive, corrupting data irreversibly and at times leaving systems inoperable. A notable feature of BiBi-Linux is that it uses the nohup command during execution, which prevents the wiping process from halting even if the console is closed. The wiper also employs multi-threading to enhance its attack power and speed, while skipping files with the following “.out” and “.so” extensions which are essential for operation.

Suggested Correction(s):
According to VirusTotal submissions, the new wiper has only received two detections, indicating that the malware has not been widely distributed yet. However, this is likely to change, with hackers also targeting entities outside of Israel, including allies of Israel such as the United States.

Security Joes has published IOCs, YARA rules, and TTPs which can be used by organizations for detection purposes:

https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group

Link(s):
https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group