The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

BiBi-Linux Wiper

Nov 10, 2023 12:18:01 PM / by The Hivemind

BiBi

Executive Summary

A wiper known as BiBi-Linux was recently observed targeting entities in Israel. A pro-Hamas hacktivist group was behind the attacks.

Key Takeaways

  • A wiper known as BiBi-Linux was recently observed targeting entities in Israel. 
  • The attacks were targeted, with sabotage and data destruction as the motive.
  • The activity was attributed to a pro-Hamas hacktivist group.
  • BiBi-Linux allows threat actors to target specific folders and can wipe an operating system if run with root permissions.

What is BiBi-Linux?

The Russia-Ukraine conflict has shown us that both nation-state and hacktivist entities often turn to cyberattacks as an echo of the kinetic conflict. Industry researchers have observed a similar trend amid the Israel-Gaza conflict.

A wiper known as BiBi-Linux was recently observed targeting entities in Israel. Security Joes reported on this activity. The activity was attributed to a pro-Hamas hacktivist group. According to Security Joes researchers, the attacks were targeted, with sabotage and data destruction as the motive. They discovered BiBi-Linux while investigating the breach of an Israeli company’s network.

BiBi-Linux is an x64 ELF executable. While the malware fakes file encryption, reminiscent of ransomware, it does not otherwise attempt to disguise its true purpose. It does not drop a ransom note, exfiltrate files, or use reversible encryption algorithms. It also does not establish communication with a remote C2, indicating no data was exfiltrated. Espionage does not seem to be part of the threat actor’s intent.

BiBi-Linux allows threat actors to target specific folders and can wipe an operating system if run with root permissions. It corrupts files by overwriting them with useless data, damaging both the data and the operating system. BiBi-Linux uses multiple threads and a queue system, increasing speed and effectiveness.

This is not the first hacktivist activity observed targeting Israeli entities during the Israel-Gaza conflict. Last month, threat actors were observed using a malicious clone of the RedAlert Android app to target users in Israel. The genuine RedAlert app allows users to receive alerts about incoming airstrikes, potentially saving lives. The pro-Palestine hacktivist group AnonGhost used the malicious clone of RedAlert to collect sensitive user data on victim devices.

IOCs

PolySwarm has a sample of BiBi-Linux.

 

23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d7d558efad

 

You can use the following CLI command to search for all BiBi-Linux samples in our portal:

$ polyswarm link list -f BiBi-Linux

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog Subscribe to our reports.

 

Topics: Threat Bulletin, Middle East, Wiper, Hacktivism, Palestine, Israel, Hamas, BiBi-Linux

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts