The Security Joes Incident Response team has uncovered a malicious data-wiping threat known as “BiBi-Linux.” This malware has been employed in targeted attacks against Linux systems owned by Israeli companies.
The discovery was made during an investigation into a network breach within an Israeli organization. Currently, only two malware scanning engines on VirusTotal identify BiBi-Linux as a threat. Unlike traditional ransomware, BiBi-Linux refrains from dropping ransom notes or providing communication channels for victims to negotiate decryption payments. However, it mimics file encryption.
Security Joes explained, “This new threat does not establish communication with remote Command & Control (C2) servers for data exfiltration, employ reversible encryption algorithms, or leave ransom notes as a means to coerce victims into making payments. Instead, it conducts file corruption by overwriting files with useless data, damaging both the data and the operating system.”
The malware, in the form of an x64 ELF executable named “bibi-linux.out,” grants attackers the ability to choose specific folders for encryption using command-line parameters. In the absence of a specified target path, if the payload runs with root privileges, it can entirely wipe the operating system by attempting to delete the root directory (‘/’).
BiBi-Linux utilizes multiple threads and a queue system for enhanced speed and effectiveness, overwriting file contents and appending a ransom-like extension featuring the term ‘BiBi’ (a nickname for Israel’s Prime Minister, Benjamin Netanyahu) followed by a number, indicating the number of file wipes.
Notably, the malware sample lacks obfuscation, packing, or other protective measures, simplifying the work of malware analysts. This suggests that the threat actors prioritize maximizing the impact of their attacks over evading analysis.
The use of destructive malware is not exclusive to this case. Russian threat groups, particularly after the invasion of Ukraine in February 2022, have widely utilized data-wiping malware to target Ukrainian organizations. Some of the wiper malware employed in these attacks include DoubleZero, HermeticWiper, IsaacWiper, WhisperGate, and AcidRain.
Russian Sandworm military hackers deployed multiple data-wiping malware strains on the network of Ukraine’s national news agency, Ukrinform, in January, illustrating the growing concern over these destructive tools in cyberattacks.