November 13, 2023 at 11:59AM
Researchers have discovered variants of the BiBi malware family that can wipe data on both Linux and Windows systems, with the Linux version believed to be launched by pro-Hamas hacktivists. Organizations are advised to use identifiers provided by Israel’s CERT to identify or prevent these attacks. BiBi-Linux and BiBi-Windows overwrite files with random bytes and delete system snapshots, making data recovery difficult. The initial infection vector remains unknown.
Key takeaways from the meeting notes:
1. Data-wiping attacks using the BiBi malware family are increasing on Israeli computers. Both Linux and Windows systems have been targeted.
2. The attacks were launched by pro-Hamas hacktivists, and Israel’s CERT has published an alert with guidelines to help organizations identify and prevent the threat actors’ activity.
3. The government recommends using the provided identifiers for all corporate security systems, such as SIEM, EDR, and antivirus. Organizations are also asked to inform the national cyber system if they find any of the identifiers on their corporate hosts.
4. The BiBi malware (both Linux and Windows variants) achieves its goal by overwriting files, without involving data exfiltration, encryption, or ransom demands.
5. The malware targets all file types except .EXE, .DLL, and .SYS files to ensure that the computer remains functional for relaying the hacktivists’ message.
6. Targeted files are overwritten with random bytes and renamed using a unique sequence of random letters, followed by an alphanumerical extension containing the “BiBi” string. This makes data recovery efforts more challenging.
7. The malware also deletes shadow copies, preventing easy system restoration, and turns off system recovery features.
8. The initial infection vector for the malware is currently unknown.
9. Karma, a hacktivist group responsible for orchestrating the campaign, shows overlaps with previously known Iranian hacktivist groups.
10. YARA rules and hashes are provided by Security Joes and BlackBerry for detecting the two known variants of the BiBi wiper, and additional identifiers are available from Israel’s CERT authority.