Summary
On October 30, Israeli-based incident response company SecurityJoes posted findings about a new wiper malware for Linux systems used by pro-Hamas hacktivists in the Israel-Hamas war. The company is currently tracking the malware as the BiBi-Linux Wiper.
The next day, the Arctic Wolf® Labs team found a variant that targets Windows systems, which we’ve labeled the BiBi-Windows Wiper.
Context
Following the Hamas terrorist attack on Israel on October 7, the physical war between Hamas and Israel has broken through into the cyber realm. A suspected Hamas-affiliated hacktivist group broke into Israeli companies across the nation, compromising internet-facing hosts to access their networks, and deployed a new and highly specific cyber weapon in an apparent attempt to damage the companies’ infrastructure. The new malware, BiBi-Linux Wiper, was uncovered by an incident response team providing assistance for the Israeli companies.
The attack had no ransom note or command-and-control (C2) servers, which led responders to surmise that the BiBi-Linux malware is a wiper, deployed for the sole reason of causing data destruction. Upon analysis, the team discovered that the Israeli Prime Minister’s commonly-used nickname, Bibi (aka Benjamin Netanyahu), was hardcoded in the malware and in the extension of every destroyed file.
SecurityJoes’ team theorizes that the wiper may have been created “by a group of hackers affiliated with Hamas, with the intent to sow chaos amidst the backdrop of war.”
The Windows variant detected by Arctic Wolf® confirms that the threat actors who created the wiper are continuing to build out the malware, and indicates an expansion of the attack to target end user machines and application servers. By diversifying their target systems, the attackers will very likely ensnare additional machines that run on Windows — an operating system that at the time of writing currently accounts for 68% of total desktop users worldwide, versus a mere 2.9% who use Linux.
Technical Analysis
| MD5 | e26bba0304f14ef96beb60376791d32c |
| SHA-256 | 40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17 |
| File Name | bibi.exe |
| File Size | 203.00 KB (207872 bytes) |
| File Type | Win PE x64 |
| Compiler | Visual Studio (2019) |
The timestamp on the BiBi-Windows Wiper suggests the implant was compiled on Saturday, October 21, 2023, just 14 days after Hamas’ initial terror attack on Israel. The malware sample is a x64 Windows portable executable (PE) compiled using Visual Studio 2019, with a file size of 203KB.
Figure 1: BiBi-Windows Wiper’s timestamp.
While the infection vector is currently unknown, once the implant is executed, it checks the processor architecture and the number of threads in the intended victim’s system. For the fastest possible destruction action, the malware runs 12 threads with eight processor cores. During execution, the wiper outputs the result to the console.
Figure 2: BiBi-Windows Wiper’s console output.
The sample destroys all files except those with .exe, .dll, and .sys extensions, because those types of files are essential for the computer to operate. Those extensions are hardcoded in the code for skipping, so that the malware can run its course of destruction.
The wiping process is performed so the targeted files are filled out with random bytes, essentially rendering the files unusable—and unrecoverable. Then, the files are renamed to a random sequence of letters that consists of 10 characters, and the extension BiBi plus a number from 1 to 5 is added. A typical rewritten filename would follow this structure: [Filename].BiBi[number].
The implant also deletes shadow copies from the system, preventing the user from recovering their files unless they have an offline backup handy. Shadow Copy is a technology included in Windows that creates backup copies or snapshots of computer files or volumes, even when they are in use.
cmd.exe /c vssadmin delete shadows /quiet /all cmd.exe /c wmic shadowcopy delete
It also disables the system’s trigger to call the Error Recovery screen on startup.
cmd.exe / c bcdedit / set {default} bootstatuspolicy ignoreallfailures
Finally, it turns off the Windows Recovery feature so the system may not be recovered.
cmd.exe /c bcdedit /set {default} recoveryenabled no
All CMD commands in the code are stored with a right-to-left technique to bypass simple pattern detection rules typically used by legacy antivirus (AV) products.
Figure 3: BiBi-Windows Wiper’s commands stored with a right-to-left technique.
Finally, BiBi-Windows Wiper relies on the Restart Manager and its Rstrtmgr.dll to meet the process till the end.
Conclusion
As the Israel-Hamas war continues to escalate, it seems there are no safe harbors in either the physical or digital realm. Wipers are typically utilized in attacks prompted by geopolitical events because the goal of a wiper is destruction, plain and simple, rather than the monetary objectives that motivate attackers who spread non-wiping malware or ransomware.
As the conflict continues, it’s likely we’ll see more of this type of attack.
Indicators of Compromise (IOCs)
| File Name | Size | SHA-256 |
| bibi.exe | 203.00 KB (207872 bytes) |
40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17 |
Hunting Yara Rule
rule BIBI_Wiper_Windows {
meta:
description ="BiBi-Windows Wiper used in the Gaza War"
author ="The Arctic Wolf Labs team"
date = "2023-10-31"
hash ="40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17"
version = "1.0"
strings:
$a1 = "[+] Stats: " ascii wide
$a2 = "C:\\Users" ascii wide
$a3 = "[!] Waiting For Queue " ascii wide
$a4 = "[+] Round " ascii wide
$a5 = "[+] Path: " ascii wide
$a6 = "[+] CPU cores: " ascii wide
condition:
uint16(0) == 0x5a4d and ((filesize < 2000KB) and all of ($a*))
}
About Arctic Wolf Labs
Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.
Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.
This article was originally posted on the BlackBerry® blog on November 10th, 2023. Arctic Wolf acquired Cylance® from BlackBerry in February 2025. The Cylance and BlackBerry Research & Intelligence teams are now part of the Arctic Wolf® Labs team.
