New BiBi-Linux wiper malware targets Israeli orgs in destructive attacks

Trending 1 month ago


A caller malware wiper known arsenic BiBi-Linux is being utilized to destruct information successful attacks targeting Linux systems belonging to Israeli companies.

Security Joes' Incident Response squad discovered nan malicious payload while investigating nan breach of an Israeli organization's network. Currently, only 2 information vendors' malware scanning engines detect BiBi-Linux arsenic malicious, according to VirusTotal.

The malware reveals its existent quality by not dropping a ransom statement aliases providing victims pinch a measurement to scope retired to nan attackers to discuss costs for a decryptor, moreover though it fakes record encryption,

"This caller threat does not found connection pinch distant Command & Control (C2) servers for information exfiltration, employment reversible encryption algorithms, aliases time off ransom notes arsenic a intends to coerce victims into making payments," said Security Joes.

"Instead, it conducts record corruption by overwriting files pinch useless data, damaging some nan information and nan operating system."

The payload (an x64 ELF executable named bibi-linux.out) recovered connected nan victim's systems allows nan attackers to take what folders to encrypt via command-line parameters.

It tin wholly swipe a compromised device's operating strategy erstwhile tally pinch guidelines privileges if nan attackers do not supply a target path, arsenic it will effort to delete nan full '/' guidelines directory.

BiBi-Linux wiperBiBi-Linux wiper encrypting files(BleepingComputer)

BiBi-Linux uses aggregate threads and a queue strategy for improved velocity and effectiveness. It will overwrite files' contents to destruct them, renaming them utilizing a ransom sanction and an hold made retired of nan 'BiBi' string (Bibi is simply a nickname utilized for Israel's Prime Minister, Benjamin Netanyahu) followed by a number.

As seen by BleepingComputer, nan number appended to nan hold is nan number of rounds a record has been wiped.

The wiper sample discovered by Security Joes besides features nary obfuscation, packing, aliases different protective measures, making malware analysts' jobs overmuch easier.

This shows nan threat actors are not concerned astir their devices being captured and dissected, alternatively focusing connected maximizing their attack's impact.

Destructive malware has besides been utilized extensively by Russian threat groups to target nan systems of Ukrainian organizations since Russia invaded Ukraine successful February 2022.

The database of wiper malware utilized to target Ukraine includes nan likes of DoubleZero, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, CaddyWiper, and AcidRain.

For instance, Russian Sandworm subject hackers deployed five different data-wiping malware strains connected nan web of nan country's nationalist news agency (Ukrinform) successful January.