BiBi-Windows Wiper: Targets Windows in Pro-Hamas attacks

Cybersecurity researchers have issued a warning about a Windows variant of a malware called BiBi-Windows Wiper. This malware has been observed targeting Linux systems in cyber attacks specifically aimed at Israel.

BiBi-Windows Wiper

Named BiBi-Windows Wiper by BlackBerry, this wiper serves as the Windows counterpart to BiBi-Linux Wiper. The latter was employed by a group of pro-Hamas activists in the aftermath of the Israel-Hamas conflict last month.

The emergence of the Windows variant affirms that the threat actors behind the wiper are actively developing malware. This signals an expansion of the attack to include end-user machines and application servers, according to the Canadian manufacturing company.

The Slovakian cybersecurity firm is monitoring a wiper known as BiBiGun, specifically highlighting the Windows variant (bibi.exe). This variant is programmed to systematically replace data in the C:\Users directory with random information and adds .BiBi to the filenames.

BiBi-Windows Wiper was compiled on October 21, 2023, just two weeks after the onset of the war.

Apart from obliterating all files except those with .exe, .dll, and .sys extensions, the wiper erases shadow copies, effectively thwarting victims’ file recovery efforts.

A noteworthy similarity with the Linux variant is its capability for multiple execution paths.

“To enhance its destructive efficiency, the malware employs 12 threads across eight processor cores,” explained Dmitry Bestuzhev, Senior Director of BlackBerry Cyber Threat Intelligence.

Security Joes, the trailblazer of BiBi-Linux Wiper, disclosed that the malware is integral to a “broad-scale operation aimed at disrupting the day-to-day operations of Israeli companies through data destruction.”

The cybersecurity firm further disclosed the identification of connections between the activist group Karma and another geopolitically motivated entity known as Moses Staff (aka Cobalt Sapling), suspected to have Iranian origins.

While the campaign primarily targeted Israeli IT and government sectors, certain groups like Moses Staff, as per Security Joes, have a history of simultaneously attacking organizations across diverse business sectors and geographical locations.