BiBi Wiper: malware analysis

Important elements of the analysis: 

  • Used in the Israel – Hamas conflict 
  • Files overwriting (without ransom demand) 
  • Drives enumeration 
  • .BiBi extension appended to overwritten files 
  • Anti-VM tasks 
  • Modification of OS booting settings to disallow Recovery Settings 
  • Shadow copy deletion 
  • Use of Restart Manager objects for resources and processes used at that time 
  • Root path identified in the C:\Users folder 

​​ Introduction 

BiBi Wiper is a “destructive” malware used in the Israel-Hamas conflict by activists of the Sunni terrorist group. As of 30 October 2023, the threat has also been infecting Unix operating systems, although a more widely used variant is also Windows, which is analyzed in this article.  

The artefact, similar to what happened during the Russian-Ukrainian war, was used as a hybrid warfare tool to carry out destructive actions against Israel’s critical infrastructures, effectively contributing to Hamas’s military and strategic offensive. The threat, by performing an overwriting and “locking” phase of the files (but without demanding a ransom), places BiBi Wiper in a different condition from a ransomware threat. The only objective of the wiper is to make the data of target systems inaccessible and unusable. [0] 

For further analysis:

Temu: Android analysis 
Botnet & Infostealers: Financial Threat Landscape 2023

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.