From the Labs: YARA Rule for Detecting BiBi Wiper

ReversingLabs analysts are constantly working to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.

In this series, we break down some of the threats behind our YARA detection rules that can help your organization detect threats within your environment.

BiBi Wiper: A political tool

In light of the Israel-Hamas conflict, the incident response firm SecurityJoes offered to assist Israeli companies dealing with cyber attacks, which led them to discover a new malware wiper that they believe is connected to the conflict. The wiper, known as BiBi Wiper, has been used by hacktivists to target Israeli companies, many of them government and defense contractors, since late October. The nature of the malware, including the wiper features and hidden messages sent once the malware is deployed, lead researchers to believe that the threat actors behind BiBi Wiper are motivated by the Israeli-Hamas conflict.

The malware earned its name because the original Linux sample, bibi-linux.out, includes the word “bibi,”a nickname for Israel’s Prime Minister, Benjamin Netanyahu. Shortly after the discovery of the Linux sample, Blackberry shared their discovery of a Windows-based version of the sample, BiBi-Windows, and found that it was compiled by threat actors on October 21, 2023. Both malware samples function similarly, and differ only based on the specifics of each operating system. If BiBi Wiper is successfully deployed in a corporate environment, it will either destroy a targeted group of files on an affected system, or wipe the device’s operating system.

Below, we unpack how the malware wiper works; discuss its impact, and introduce two YARA rules that can be used to detect infections: one for the Linux version of BiBi Wiper and one for the Windows version, written by the RL Threat Intelligence Team.

How BiBi Wiper works

While they function similarly, the Linux and Windows samples differ slightly. In researchers' analysis of the Linux sample, bibi-linux.out, they found that the sample lacks obfuscation or any other protective measures commonly used by cybercriminals looking for financial gain. Researchers investigating attacks using bibi-linux.out are also unclear how the threat actors were able to access corporate systems to deploy the malware in the first place.

When the Linux sample is executed, the malware launches several attack threads and a queue that quickens the pace of file corruption, increasing the total damage. The malware corrupts the targeted files by overwriting them and then renames the corrupted files with a random string that includes “BiBi.” The malware is also designed to avoid corrupting files that end in .out or .so, since these files allow a Linux-based computer system to operate. The malware is capable of targeting a select number of files on a system, or to wipe the entire operating system of an infected host, effectively bricking it - but only if the threat actors have root permissions.

Operating in a similar manner, the Windows sample, BiBi-Windows, was discovered just a couple of days after the Linux sample by both Blackberry and ESET. BiBi-Windows functions in the same way that the Linux variant does, except it excludes destroying files that allow a Windows-based computer system to operate: .exe, .dll, and .sys. To make the files it targets inoperable and unrecoverable, the malware fills them out with random bytes, and then renames them to include “BiBi.” Also different from the Linux sample, the Windows variant when deployed disables both the shadow copy and recovery features that Windows offers in its operating system.

BiBi Wiper’s impact

BiBi Wiper is not the first malware of its kind. It also isn’t the first instance in which threat actors have used wiper malware for political ends. One of the most prominent examples is HermeticWiper, which hacktivists created and used to target Ukrainian organizations at the start of the Russian-Ukrainian War back in 2022. Researchers across the board assert that BiBi Wiper was created for similar reasons, but related to the Israel-Hamas conflict.

Evidence to support the wiper’s political aims includes the targets of the malware, all of which are based in Israel and include data hosting services and defense contractors, SecurityJoes researchers report. Additionally, the malware and attack method are not designed to give the victim any means for file recovery, which is a stark contrast from cybercriminal ransomware campaigns, which typically demand a ransom payment from victims in exchange for recovery. This lack of monetary gain for the attackers demonstrates that they are looking to cause damage, and nothing more.

In a follow up blog post, SecurityJoes shared that they went on a subsequent mission to pinpoint the identities of the attackers using BiBi Wiper. In their research, they analyzed the wiper’s tactics, techniques and procedures (TTPs), and saw a strong similarity between them and the TTPs used by another hacker group based in Iran, known as MosesStaff. Because of this similarity, SecurityJoes asserts that the attackers behind BiBi Wiper are related to MosesStaff.

Also in their investigation, researchers discovered that the BiBi Wiper attackers used Telegram, a messaging service, to communicate with each other about their activities. By accessing their Telegram channel, researchers found messages of the threat actors calling themselves by the name “Karma.” Other messages shared Karma’s motivations of disguising themselves as an Israeli hacker group, meant to spread disinformation about Prime Minister Netanyahu.

In an effort to mitigate the BiBi Wiper attacks, Israel’s National Cyber Array shared an alert for wiper identifiers being used in Israel. In the alert, the Israeli government asks that all corporate security systems use the identifiers listed, and also asks organizations to notify the national cyber system if they find any of the identifiers on their systems.

Detecting BiBi Wiper

Since BiBi Wiper can impact both Linux and Windows operating systems, it is essential that security teams take precautionary measures. ReversingLabs’ YARA rules for both the Linux and Windows variants of BiBi Wiper are designed to detect this malware within your environment with high fidelity and almost no false-positives.

Download the BiBi Wiper, Linux variant YARA Rule here:

Linux.Trojan.BiBiWiper.yara

Download the BiBi Wiper, Windows variant YARA Rule here:

Win32.Trojan.BiBiWiper.yara

To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page. To learn more about how our threat analysts write these YARA rules, check out this blog post from ReversingLabs threat analyst Laura Dabelić.

About ReversingLabs

ReversingLabs team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Don’t hesitate to contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware or to schedule a demonstration.