NEWS  Security  November 14, 2023  Reading time: 2 Minute(s)

Max (RS editor)

In a recent security alert, Israeli cybersecurity experts have sounded the alarm on the emergence of BiBi wiper attacks, targeting both Linux and Windows operating systems. The malware, discovered in a compact 203KB 64-bit executable, demonstrates sophisticated techniques to compromise system integrity.

Upon activation, the malware assesses the host's processor, identifying the optimal number of threads to exploit for swift data-wiping assaults—capable of supporting up to 12 threads on eight cores. A parallel multi-thread and queuing logic were observed in the Linux variant of the malware, showcasing a high level of adaptability.

Researchers revealed that the threat actor employed a right-to-left technique to circumvent conventional pattern detection rules commonly found in legacy antivirus products. The Windows variant of BiBi selectively targets all file types, excluding .EXE, .DLL, and .SYS files. This strategic omission is believed to prevent rendering the computer inoperable, ensuring the hacktivists can effectively convey their message.

Targeted files undergo a comprehensive overwrite process with random bytes, rendering them irrecoverable. Furthermore, the malware renames these files using a ten-character alphanumeric sequence followed by an extension containing the "BiBi" string. This unpredictable renaming process adds an additional layer of complexity, hampering data recovery efforts.

To impede system restoration, BiBi wipes out shadow copies—snapshots of the system in an earlier state commonly used for data and settings recovery. Additionally, the malware deactivates the 'Error Recovery' mode on system boot and disables the 'Windows Recovery' feature, further complicating recovery processes.

Security experts from BlackBerry and Security Joes have collaborated on a comprehensive report, delving deeper into the campaign and identifying the Karma hacktivist group as the orchestrator. This group shares similarities with previously known Iranian hacktivist groups, such as 'Moses Staff,' known for launching ransom-less data encrypting attacks.

In response to the threat, Security Joes and BlackBerry have provided YARA rules for detecting the two known BiBi wiper variants, along with hashes for the respective executables. Israel's CERT authority has also released a set of identifiers in TXT and CSV formats to aid in tracking BiBi threat activity. Vigilance and adherence to recommended security measures are strongly advised to mitigate the risks posed by this evolving cybersecurity threat.

(Cover Image by storyset on Freepik)