Threat Research

BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group

Securonix

Security Joes Incident Response identified a new Linux wiper sample linked to Hamas-affiliated hacktivists, named BiBi-Linux Wiper, observed targeting Israeli companies. The malware destroys data by overwriting files, renaming them with a BiBi-containing extension, and can wipe the OS if run with root privileges, all without ransom notes or C2 communications.
#BiBiLinuxWiper #HamasHacktivists

Keypoints

  • BiBi-Linux Wiper is a previously undocumented x64 ELF Linux wiper (~1.2 MB) coded in C/C++ with GCC, lacking obfuscation.
  • Targeted victims appear to be Israeli companies amid the Israel–Hamas conflict, with political motives rather than financial gain.
  • The malware hardcodes the name “BiBi” in the malware file name and in the extensions used for corrupted files.
  • It operates in a multi-threaded manner and uses a queue to accelerate file destruction, potentially destroying the OS under root access.
  • There is no ransom note or C2 requirement; the attack focuses on rapid data destruction instead of theft or extortion.
  • Inputs and outputs are verbose; nohup is used to run in the background with output redirected to nohup.out.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Adversaries exploited a weakness in an Internet-facing host to initially access a network. ‘Exploited a weakness in an Internet-facing host to initially access a network’
  • [T1059.004] Unix Shell – Command and Scripting Interpreter: Unix Shell; nohup is used to launch the attack within the victim’s environment. ‘nohup is used to launch the attack within the victim’s environment’
  • [T1570] Lateral Movement – Software Deployment Tools; Server administration tools were used to deploy the threat in several servers. ‘Software Deployment Tools were used to deploy the threat in several servers’
  • [T1083] File and Directory Discovery – Threat scans the system looking for files and folders to infect. ‘Threat scans the system looking for files and folders to infect’
  • [T1082] System Information Discovery – Threat get information from the system such as the number of cores and local times. ‘Threat get information from the system such as the number of cores and local times’
  • [T1485] Data Destruction – Files’ content is replaced with useless data. ‘Files’ content is replaced with useless data’

Indicators of Compromise

  • [File Name] Malicious binary and related artifacts – bibi-linux.out and nohup.out
  • [File Hash] 23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d7d558efad – SHA-256 hash associated with the primary sample

Read more: https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint