October 30, 2023 at 01:10PM
A pro-Hamas hacktivist group has developed a new Linux-based wiper malware called BiBi-Linux Wiper. The malware targets Israeli entities during the ongoing Israeli-Hamas war. BiBi-Linux Wiper is destructive and can potentially destroy an entire operating system if run with root permissions. It overwrites files and renames them with the string “BiBi” in the filename. The malware is used by the suspected Hamas-affiliated threat actor called Arid Viper, which operates in two sub-groups focused on cyber espionage against Israel and Palestine. Arid Viper uses social engineering and phishing attacks to deploy various custom malware.
Key Takeaways from Meeting Notes:
– A pro-Hamas hacktivist group has developed a new Linux-based wiper malware called BiBi-Linux Wiper, which is targeting Israeli entities during the Israeli-Hamas war.
– The malware is an x64 ELF executable and lacks obfuscation or protective measures. It can potentially destroy an entire operating system if run with root permissions.
– BiBi-Linux Wiper has capabilities such as multithreading to corrupt files concurrently, overwriting files, renaming them with the extension “[RANDOM_NAME].BiBi[NUMBER],” and excluding certain file types from corruption.
– The use of the string “bibi” in the filename holds significance as it is a common nickname for the Israeli Prime Minister, Benjamin Netanyahu.
– The malware is coded in C/C++ and has a file size of 1.2 MB. The threat actor can specify target folders via command-line parameters, and by default, it targets the root directory (“/”) if no path is provided.
– BiBi-Linux Wiper uses the nohup command during execution to run in the background. It skips over files with .out or .so extensions.
– Sekoia revealed that the suspected Hamas-affiliated threat actor, Arid Viper, is likely organized into two sub-groups focusing on cyber espionage activities against Israel and Palestine.
– Arid Viper targets high-profile individuals from critical sectors, using social engineering, phishing attacks, and a variety of custom malware.
– Their arsenal includes Micropsia, PyMicropsia, Arid Gopher, BarbWire, and a new undocumented backdoor called Rusty Viper written in Rust.
– Arid Viper’s spying capabilities range from recording audio, detecting inserted flash drives, exfiltrating files, and stealing browser credentials.
Follow us on Twitter and LinkedIn for more exclusive content.