A group of hacktivists aligned with Hamas has been observed utilizing a newly developed Linux-based wiper malware called BiBi-Linux Wiper. Their target: Israeli organizations during the ongoing Israeli-Hamas conflict.
The malware, identified as an x64 ELF executable, lacks obfuscation or protective measures. It enables attackers to specify target folders and, if run with root permissions, has the potential to annihilate an entire operating system.
Additional features of this malware include multithreading for simultaneous file corruption to enhance its speed and reach, file overwriting, renaming with a “BiBi” string (in the format “[RANDOM_NAME].BiBi[NUMBER]”), and the exclusion of certain file types from corruption.
The inclusion of “bibi” in the filename is notable, as it holds political significance in the Middle East, commonly referencing the Israeli Prime Minister, Benjamin Netanyahu.
The malicious code, written in C/C++, has a file size of 1.2 MB and allows the threat actor to specify target folders through command-line parameters, with the root directory (“/”) as the default if no path is provided. However, performing this action at the root level requires root permissions.
Another noteworthy aspect of BiBi-Linux Wiper is its use of the nohup command during execution, enabling it to run quietly in the background. Some file types, such as those with .out or .so extensions, are excluded from being overwritten due to their importance to the Unix/Linux operating system.
This development coincides with Sekoia’s revelation that the suspected Hamas-affiliated threat actor, known as Arid Viper (also referred to as APT-C-23, Desert Falcon, Gaza Cyber Gang, and Molerats), is likely organized into two sub-groups. Each cluster is focused on cyber espionage activities, with one targeting Israel and the other Palestine.
Arid Viper is known for targeting individuals, including high-profile Palestinian and Israeli figures, as well as broader groups, particularly from critical sectors such as defense, government organizations, law enforcement, and political parties or movements.
The group’s attack chains involve social engineering and phishing attacks as initial intrusion vectors to deploy various custom malware for spying on victims. This includes Micropsia, PyMicropsia, Arid Gopher, BarbWire, and a new undocumented backdoor called Rusty Viper, which is written in Rust.
Collectively, Arid Viper’s arsenal provides diverse spying capabilities, including audio recording using the microphone, detection of inserted flash drives and file exfiltration from them, and theft of saved browser credentials, among other functions.
