October 30, 2023 at 12:59PM
A new malware called BiBi-Linux is targeting Linux systems of Israeli companies to destroy data. It does not drop a ransom note or establish communication with attackers. The malware overwrites files with useless data, damaging both the data and the operating system. It can wipe an entire device if run with root privileges. The attackers use a queue system and append a ransom name and number to the files they destroy. The sample of the malware has no protective measures, suggesting the attackers prioritize impact over evading detection. Similar destructive malware has been used by Russian threat groups in Ukraine.
Key Points from the Meeting Notes:
– A new malware wiper called BiBi-Linux is being used to target Linux systems belonging to Israeli companies.
– The malware does not drop a ransom note or provide a way for victims to negotiate payment for a decryptor.
– BiBi-Linux overwrites files with useless data, damaging both the data and the operating system.
– The attackers can choose what folders to encrypt using command-line parameters.
– BiBi-Linux uses multiple threads and a queue system for improved speed and effectiveness.
– The malware renames files with a ransom name and an extension containing the string ‘BiBi’ followed by a number.
– The wiper sample discovered does not have obfuscation or other protective measures, making it easier for analysts to analyze.
– Destructive malware has been extensively used by Russian threat groups against Ukrainian organizations since February 2022.
– Examples of wiper malware used in attacks on Ukraine include DoubleZero, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, CaddyWiper, and AcidRain.
– Russian Sandworm military hackers deployed five different data-wiping malware strains on Ukraine’s national news agency’s network in January.