Pro-Hamas Hacktivists Targeting Israeli Entities with Wiper Malware

A pro-Hamas hacktivist group has been observed using a new Linux-based wiper malware dubbed BiBi-Linux Wiper, targeting Israeli entities amidst the ongoing Israeli-Hamas war.

“This malware is an x64 ELF executable, lacking obfuscation or protective measures,” Security Joes said in a new report published today. “It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions.”

Some of its other capabilities include multithreading to corrupt files concurrently to enhance its speed and reach, overwriting files, renaming them with an extension containing the hard-coded string “BiBi” (in the format “[RANDOM_NAME].BiBi[NUMBER]”), and excluding certain file types from being corrupted.

“While the string ‘bibi’ (in the filename), may appear random, it holds significant meaning when mixed with topics such as politics in the Middle East, as it is a common nickname used for the Israeli Prime Minister, Benjamin Netanyahu,” the cybersecurity company added.

The destructive malware, coded in C/C++ and carrying a file size of 1.2 MB, allows the threat actor to specify target folders via command-line parameters, by default opting for the root directory (“/”) if no path is provided. However, performing the action at this level requires root permissions.

Another notable aspect of BiBi-Linux Wiper is its use of the nohup command during execution so as to run it unimpeded in the background. Some of the file types that are skipped from being overwritten are those with the extensions .out or .so.

“This is because the threat relies on files such as bibi-linux.out and nohup.out for its operation, along with shared libraries essential to the Unix/Linux OS (.so files),” the company said.

The development comes as Sekoia revealed that the suspected Hamas-affiliated threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, Gaza Cyber Gang, and Molerats) is likely organized as two sub-groups, with each cluster focused on cyber espionage activities against Israel and Palestine, respectively.

“Targeting individuals is a common practice of Arid Viper,” SentinelOne researchers Tom Hegel and Aleksandar Milenkoski said in an analysis released last week.

“This includes pre-selected Palestinian and Israeli high-profile targets as well as broader groups, typically from critical sectors such as defense and government organizations, law enforcement, and political parties or movements.”

Attack chains orchestrated by the group include social engineering and phishing attacks as initial intrusion vectors to deploy a wide variety of custom malware to spy on its victims. This comprises Micropsia, PyMicropsia, Arid Gopher, and BarbWire, and a new undocumented backdoor called Rusty Viper that’s written in Rust.

“Collectively, Arid Viper’s arsenal provides diverse spying capabilities such as recording audio with the microphone, detecting inserted flash drives and exfiltrating files from them, and stealing saved browser credentials, to name just a few,” ESET noted earlier this month.