Important elements of the analysis:
- Used in the Israel – Hamas conflict
- Files overwriting (without ransom demand)
- Drives enumeration
- .BiBi extension appended to overwritten files
- Anti-VM tasks
- Modification of OS booting settings to disallow Recovery Settings
- Shadow copy deletion
- Use of Restart Manager objects for resources and processes used at that time
- Root path identified in the C:\Users folder
Introduction
BiBi Wiper is a “destructive” malware used in the Israel-Hamas conflict by activists of the Sunni terrorist group. As of 30 October 2023, the threat has also been infecting Unix operating systems, although a more widely used variant is also Windows, which is analyzed in this article.
The artefact, similar to what happened during the Russian-Ukrainian war, was used as a hybrid warfare tool to carry out destructive actions against Israel’s critical infrastructures, effectively contributing to Hamas’s military and strategic offensive. The threat, by performing an overwriting and “locking” phase of the files (but without demanding a ransom), places BiBi Wiper in a different condition from a ransomware threat. The only objective of the wiper is to make the data of target systems inaccessible and unusable. [0]
For further analysis:
