BiBi-Linux Wiper Malware

A hacktivist group supportive of Hamas has been identified using a new Linux-based wiper malware called BiBi-Linux Wiper. This malicious software is specifically aimed at Israeli organizations during the ongoing conflict between Israel and Hamas.

The BiBi-Linux Wiper is designed as an x64 ELF executable and does not employ obfuscation or protective measures. This malware allows attackers to designate target folders and, if executed with root permissions, has the potential to render an entire operating system inoperable.

Other Functionalities Discovered in the BiBi-Linux Wiper Malware

Among its various capabilities, the malware employs multithreading to corrupt files simultaneously, thereby enhancing its speed and reach. It accomplishes this by overwriting files and renaming them with a specific hard-coded string 'BiBi' in the format of '[RANDOM_NAME].BiBi[NUMBER]'. Additionally, it can exclude certain file types from being corrupted.

This destructive malware, developed using C/C++, has a file size of 1.2 MB. It grants the threat actor the ability to specify target folders using command-line parameters, with the default choice being the root directory ('/') if no specific path is provided. However, carrying out actions at this level necessitates root permissions.

Notably, BiBi-Linux Wiper employs the 'nohup' command during execution to ensure it operates smoothly in the background. Certain file types are exempted from being overwritten, such as those with the extensions .out or .so. This exception is essential because the threat relies on files like bibi-linux.out and nohup.out for its operation, in addition to shared libraries crucial for the Unix/Linux operating system (.so files).

Hackers are Focusing Their Activities on High-Profile Targets in the Middle East

Researchers believe that the suspected Hamas-affiliated threat actor, known by several names including the Arid Viper (also referred to as APT-C-23, Desert Falcon, Gaza Cyber Gang and Molerats), likely operates as two distinct sub-groups. Each of these sub-groups is primarily focused on conducting cyber espionage activities targeting either Israel or Palestine.

The Arid Viper commonly engages in the practice of targeting individuals, including pre-selected high-profile individuals from both Palestinian and Israeli backgrounds. They also target broader groups, particularly within critical sectors such as defense and government organizations, law enforcement, as well as political parties and movements.

To achieve its objectives, the Arid Viper employs various attack chains. These chains often commence with social engineering and phishing attacks as initial intrusion methods, enabling them to deploy a wide range of custom malware designed for spying on their victims. This malware arsenal grants the threat actor a diverse set of spying capabilities, including audio recording through the microphone, the ability to detect and exfiltrate files from inserted flash drives, and the theft of saved browser credentials.