Executive Summary
A wiper known as BiBi-Linux was recently observed targeting entities in Israel. A pro-Hamas hacktivist group was behind the attacks.
Key Takeaways
- A wiper known as BiBi-Linux was recently observed targeting entities in Israel.
- The attacks were targeted, with sabotage and data destruction as the motive.
- The activity was attributed to a pro-Hamas hacktivist group.
- BiBi-Linux allows threat actors to target specific folders and can wipe an operating system if run with root permissions.
What is BiBi-Linux?
The Russia-Ukraine conflict has shown us that both nation-state and hacktivist entities often turn to cyberattacks as an echo of the kinetic conflict. Industry researchers have observed a similar trend amid the Israel-Gaza conflict.
A wiper known as BiBi-Linux was recently observed targeting entities in Israel. Security Joes reported on this activity. The activity was attributed to a pro-Hamas hacktivist group. According to Security Joes researchers, the attacks were targeted, with sabotage and data destruction as the motive. They discovered BiBi-Linux while investigating the breach of an Israeli company’s network.
BiBi-Linux is an x64 ELF executable. While the malware fakes file encryption, reminiscent of ransomware, it does not otherwise attempt to disguise its true purpose. It does not drop a ransom note, exfiltrate files, or use reversible encryption algorithms. It also does not establish communication with a remote C2, indicating no data was exfiltrated. Espionage does not seem to be part of the threat actor’s intent.
BiBi-Linux allows threat actors to target specific folders and can wipe an operating system if run with root permissions. It corrupts files by overwriting them with useless data, damaging both the data and the operating system. BiBi-Linux uses multiple threads and a queue system, increasing speed and effectiveness.
This is not the first hacktivist activity observed targeting Israeli entities during the Israel-Gaza conflict. Last month, threat actors were observed using a malicious clone of the RedAlert Android app to target users in Israel. The genuine RedAlert app allows users to receive alerts about incoming airstrikes, potentially saving lives. The pro-Palestine hacktivist group AnonGhost used the malicious clone of RedAlert to collect sensitive user data on victim devices.
IOCs
PolySwarm has a sample of BiBi-Linux.
23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d7d558efad
You can use the following CLI command to search for all BiBi-Linux samples in our portal:
$ polyswarm link list -f BiBi-Linux
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.