During a forensics investigation, Security Joes Incident Response team discovered a new Linux Wiper malware they tracked as BiBi-Linux Wiper.
Pro-Hamas hacktivist group used the wiper to destroy the infrastructure of Israeli companies.
The researchers noticed that the malware is an x64 ELF executable that lacks obfuscation or protective measures. The malware sample analyzed by the experts is written in C/C++, with a file size of approximately 1.2MB. This binary was compiled using the GCC compiler. Threat actors can specify target folders, however, the wiper can potentially destroy an entire operating system when runs with root permissions.
“During execution, it produces extensive output, which can be mitigated using the “nohup” command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach. Its actions include overwriting files, renaming them with a random string containing “BiBi,” and excluding certain file types from corruption.” reads the analysis published by Security Joes.
The author of the malware hardcoded the name of the Israeli PM in the malware name and in every destroyed file’s extension. The wiper doesn’t drop a ransom note on the infected system, the researchers also noticed that it was not using C2 servers, a circumstance that the BiBi-Linux wiper was also used to data destruction.
“The malicious file discovered on each of the compromised machines was named bibi-linux.out. While the string “bibi” (in the filename), may appear random, it holds significant meaning when mixed with topics such as politics in the Middle East, as it is a common nickname used for the Israeli Prime Minister, Benjamin Netanyahu.” continues the report.
Once executed the malware produces extensive output to stdout creating a significant amount of noise during execution. Threat actors mitigate the issue by using the nohup command so that the program can be executed without continuously printing output to the terminal. The program’s output is redirected to a file named nohup.out located in the binary directory. The use of the “nohup” command also prevents the wiping process from halting even if the console is closed.
“To expedite the infection process, this threat leverages multiple threads and employs a queue to synchronize their operations. This approach allows the attack to concurrently corrupt files, significantly enhancing the overall attack’s reach and speed.” concludes the report that also includes Indicators of Compromise (IoCs).
(SecurityAffairs – hacking, Hamas)