BiBi | |
Type of Malware | Wiper |
Addittional names | BiBi-Linux, BiBi-Windows |
Date of initial activity | 2023 |
Country of Origin | Iran |
Associated Groups | Void Manticore |
Targeted Countries | Israel |
Motivation | To cause significant disruption and destruction to targeted systems by deleting their files |
Attack Vectors | Infected email attachments, malicious online advertisements, social engineering, software 'cracks' |
Targeted System | Linux and Windows |
Overview
BiBi-Linux is a newly discovered Linux-based wiper malware, emerging from the ongoing conflict between Israel and Hamas. The malware, an x64 ELF executable, is notable for its simplicity in design and its highly destructive capabilities. Unlike more complex malware that often incorporates obfuscation techniques to evade detection, BiBi-Linux is straightforward, lacking any significant protective measures. Its primary function is to inflict damage rather than to carry out traditional malicious activities such as data theft or ransomware demands.
The malware is designed to overwrite files with random data, rendering them completely unusable. This action is particularly devastating as it can lead to the loss of critical data and disrupt the target’s operations. In addition to overwriting files, BiBi-Linux renames the corrupted files with a random string that includes “BiBi” in the extension, which personalizes the attack and further complicates recovery efforts. This naming convention is not arbitrary; it reflects the malware’s underlying political motivations, particularly its connection to the conflict in the Middle East.
BiBi-Linux’s lack of encryption or data exfiltration capabilities differentiates it from other types of malware. It does not establish a connection with remote command and control servers, nor does it include ransom notes. This absence of traditional ransomware features underscores the malware’s role as a wiper—a type of malicious software specifically designed to destroy data rather than extract value from it.
Targets
Israeli critical infrastructure, government entities, and large corporations
How they operate
In the ongoing conflict between Israel and Hamas, a new and particularly aggressive form of cyberweapon has emerged, identified as BiBi-Linux. This wiper malware has been employed by a pro-Hamas hacktivist group targeting Israeli companies, and its distinctive features and operation reveal a sophisticated and destructive approach to cyber warfare.
BiBi-Linux is an x64 ELF executable that stands out for its lack of obfuscation or protective measures. Designed to execute on Linux systems, the malware’s primary function is to overwrite and destroy files across targeted systems. Its operation is remarkably straightforward yet devastatingly effective. Upon execution, BiBi-Linux begins to corrupt files by overwriting them with random data, rendering them irretrievable. The malware does not employ reversible encryption or ransom notes, indicating its intent is purely destructive rather than financially motivated. This aligns with its classification as a wiper malware, a type of software intended to erase data without providing a means for recovery.
The malware’s functionality is further underscored by its hardcoded references to the Israeli Prime Minister, Benjamin Netanyahu, through the string “BiBi” embedded within its code. This not only highlights the malware’s political motivations but also serves as a form of psychological warfare, adding a layer of symbolic aggression to its technical attacks. During its operation, BiBi-Linux generates extensive output detailing its progress, which can be redirected using the “nohup” command to avoid interruption. This feature enables the malware to run persistently, even if the terminal session is closed, amplifying its destructive impact.
The architecture of BiBi-Linux includes a multi-threaded approach that allows it to execute file corruption concurrently across multiple threads. This enhances the speed and efficiency of the attack, ensuring a broader reach and more significant damage within a shorter time frame. The malware leverages several Linux system calls to manage its threads and processes, reflecting its capability for high-performance execution.
MITRE tactics and techniques
Exploit Public-Facing Application (T1190)
Command and Scripting Interpreter: Unix Shell (T1059.004)
Software Deployment Tools (T1072)
File and Directory Discovery (T1083)
System Information Discovery (T1082)
Data Destruction (T1485)
Significant Malware Campaigns
Destructive Cyberattacks on Israeli Companies: BiBi-Linux was discovered as part of a series of attacks on Israeli companies, aimed at disrupting their operations and causing significant data loss. The malware’s deployment was part of a broader campaign by a pro-Hamas hacktivist group to undermine Israeli infrastructure amid the conflict.
Wiper Attack Against Critical Infrastructure: The malware was used in attacks against critical infrastructure within Israel, where it targeted and destroyed data across multiple systems. The primary goal of these attacks was to cripple the operational capabilities of affected organizations by rendering their data irretrievable.
Political Symbolism in Attacks: The malware’s use of the string “BiBi,” a reference to Israeli Prime Minister Benjamin Netanyahu, in both the filenames and the file extensions of corrupted data, underscores the political nature of the attacks. This symbolic action was intended to amplify the psychological impact of the cyberattacks, aligning with the hacktivist group’s broader political agenda.
