BiBi-Linux Wiper Malware Used Against Israeli Targets

A newly discovered malware called BiBi-Linux is being employed in attacks aimed at Linux systems owned by Israeli companies, with the intent of erasing data.

The Incident Response team at Security Joes uncovered this malicious payload while investigating a security breach within an Israeli organization's network. As of now, only two security vendors' malware scanning engines recognize BiBi-Linux as a threat, as reported by VirusTotal.

This malware distinguishes itself by not leaving a ransom note or any means for victims to contact the attackers for ransom negotiations, even though it pretends to encrypt files.

In the words of researchers with Security Joes, "This new threat doesn't establish communication with remote Command & Control (C2) servers for data exfiltration, use reversible encryption algorithms, or employ ransom notes to pressure victims into making payments." Instead, it corrupts files by overwriting them with useless data, causing harm to both the data and the operating system.

BiBi-Linux - Mode of Operation

The payload, identified as an x64 ELF executable named bibi-linux.out, allows the attackers to select which folders to encrypt using command-line parameters. If run with root privileges and no specific target path provided, it can completely wipe out the operating system of a compromised device by attempting to delete the entire '/' root directory.

BiBi-Linux employs multiple threads and a queue system to enhance speed and effectiveness. It overwrites file contents, rendering them unusable, and appends a ransom-like name and an extension containing the term 'BiBi' (a nickname associated with Israel's Prime Minister, Benjamin Netanyahu) followed by a number.

The appended number signifies the number of times a file has been wiped, as observed by BleepingComputer. Notably, the malware sample discovered by Security Joes lacks any obfuscation, packing, or other protective measures, simplifying the work of malware analysts.

This suggests that the threat actors are not overly concerned about their tools being detected and dissected; instead, they focus on maximizing the impact of their attacks.

Destructive malware has also been extensively used by Russian threat groups to target Ukrainian organizations, particularly after Russia's invasion of Ukraine in February 2022. Notable wiper malware employed for such attacks includes DoubleZero, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, CaddyWiper, and AcidRain.

For instance, in January, Russian Sandworm military hackers used five different data-wiping malware strains on the network of Ukraine's national news agency (Ukrinform).