Pro-Hamas Hacktivists Employ Wiper Malware Against Israeli Organizations.
wiper malware known as BiBi-Linux Wiper. This malware specifically targets entities within Israel during the ongoing conflict between Israel and Hamas.
According to a recent study published today, Security Joes stated that the malware under investigation is an x64 ELF executable, which exhibits a notable absence of obfuscation techniques or protective measures. The software vulnerability enables malicious actors to choose specific directories as targets, potentially resulting in the complete destruction of an entire operating system when executed with root privileges.
In addition to its core functionalities, the software possesses the ability to execute multithreading operations, thereby enabling simultaneous corruption of files to optimize efficiency and expand its scope. It also incorporates the feature of overwriting files, accompanied by a renaming process that appends the hard-coded string “BiBi” to the original file name, adopting the format of “[RANDOM_NAME].BiBi[NUMBER]”. Furthermore, the software allows for the exclusion of specific file types from the corruption process.
According to the cybersecurity business, the seemingly arbitrary string “bibi” included in the filename gains substantial significance when associated with subjects such as Middle Eastern politics. This is due to its frequent usage as a nickname for Benjamin Netanyahu, the Prime Minister of Israel.
The malware, which is programmed in C/C++ and has a file size of 1.2 MB, enables the malicious actor to designate certain directories as targets through command-line options. If no path is specified, the malware defaults to selecting the root directory (“/”). Nevertheless, the execution of this task at the current level necessitates root privileges.
Another noteworthy characteristic of BiBi-Linux Wiper is its utilization of the nohup command during execution, enabling it to operate without hindrance in the background. Certain file types that are excluded from the process of being overwritten include those with the file extensions .out or .so.
According to the statement provided by the firm, the functionality of the threat is dependent on specific files, namely bibi-linux.out and nohup.out, as well as critical shared libraries associated with the Unix/Linux operating system, commonly referred to as .so files.
The recent revelation by Sekoia indicates that Arid Viper, a suspected threat actor associated with Hamas, is likely structured into two distinct sub-groups. These clusters are primarily dedicated to engaging in cyber espionage activities targeting Israel and Palestine, respectively. Arid Viper is also known by various aliases, including APT-C-23, Desert Falcon, Gaza Cyber Gang, and Molerats.
According to an investigation recently published by academics Tom Hegel and Aleksandar Milenkoski from SentinelOne, the act of targeting individuals is a prevalent strategy employed by Arid Viper.
This encompasses predetermined high-profile targets from both the Palestinian and Israeli sides, along with more extensive groups primarily consisting of important sectors such as defense and government entities, law enforcement agencies, and political parties or movements.
The gang orchestrates attack chains that involve employing social engineering and phishing attacks as initial intrusion vectors in order to deliver a diverse range of proprietary malware, with the purpose of conducting surveillance on its targeted individuals. The aforementioned entities include Micropsia, PyMicropsia, Arid Gopher, and BarbWire, alongside a recently discovered undisclosed backdoor named Rusty Viper, which has been implemented using the Rust programming language.
According to a recent report by ESET, the Arid Viper malware possesses a wide range of espionage functionalities. These include the ability to capture audio using the device’s microphone, identify and extract data from inserted flash drives, and pilfer saved browser credentials, among other features.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
READ MORE NEWS HERE