Security Joes describes a large-scale data-wiping campaign targeting Israeli organizations, led by hacktivist groups Karma and Moses Staff, featuring BiBi-Linux Wiper and the Windows variant bibi.exe. The investigation links pro-Palestinian motives to the attacks and highlights coordinated data destruction aimed at undermining Israel’s economy, with defense recommendations for organizations facing similar threats. #BiBi-Linux #BiBiExe #Karma #MosesStaff #Israel
Keypoints
- The campaign centers on a new data-wiping malware named BiBi-Linux, with a Windows variant bibi.exe identified by researchers.
- Karma, a hacktivist group, publicly claimed breaches and used their Telegram channels to disseminate attack information and slogans.
- Moses Staff, an Iranian-linked actor, is linked in OSINT to similar wiping operations and to the broader data-destruction narrative.
- Initial access is described as using publicly exposed administrative panels, followed by lateral movement to iDRAC servers as a main target.
- The attackers wipe data via the BiBi-Linux Wiper and, in some cases, through manual deletion on compromised systems.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used for initial access via publicly exposed administrative panels. Quote: ‘Initial access via publicly-exposed administrative panels’
- [T1021] Lateral Movement – Lateral movement towards iDRAC servers, with them being the attack’s main target. Quote: ‘Lateral movement towards iDRAC servers, with them being the attack’s main target’
- [T1485] Data Destruction – Wiping data using both Wiper (“Bibi-Linux”) and manual deletion. Quote: ‘Wiping data using both Wiper (“Bibi-Linux”) and manual deletion’
Indicators of Compromise
- [IOC Type] File Hash – 23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d7d558efad – BiBi-Linux Wiper hash mentioned in article
- [IOC Type] File Name – bibi.exe – Windows variant of BiBi-Linux
- [IOC Type] File Name – BiBi-Linux – Wiper name referenced in the campaign