BiBi Wiper Used in the Israel-Hamas War Now Runs on Windows

MITRE Techniques

• [T1082] System Information Discovery – The malware, once executed, checks the processor architecture and the number of threads in the intended victim’s system. “The infection vector is currently unknown, once the implant is executed, it checks the processor architecture and the number of threads in the intended victim’s system.”
• [T1059.003] Command-Line Interface – It executes Windows commands via the CMD shell, e.g., “cmd.exe /c vssadmin delete shadows /quiet /all” with Right-to-Left storage to evade detection. “All CMD commands in the code are stored with a right-to-left technique to bypass simple pattern detection rules typically used by legacy antivirus products.”
• [T1027] Obfuscated/Compressed Files and Information – The code stores CMD commands using a right-to-left technique to defeat detectors. “All CMD commands in the code are stored with a right-to-left technique to bypass simple pattern detection rules typically used by legacy antivirus products.”
• [T1490] Inhibit System Recovery – The malware disables system recovery features to hinder restoration: “disables the system’s trigger to call the Error Recovery screen on startup” and “turns off the Windows Recovery feature so the system may not be recovered.”
• [T1485] Data Destruction – The wiper destroys files by overwriting them with random bytes and renaming them, effectively deleting data: “The sample destroys all files … The wiping process is performed so the targeted files are filled out with random bytes, essentially rendering the file unusable—and unrecoverable.”