Since the Palestinian militant group Hamas raided Israel in early October, triggering the Israeli-Palestinian conflict, hundreds of hacker organizations have expressed support for the two camps and expressed their demands through DDoS attacks on corporate organizations in hostile countries. However, there are also hacker groups that adopt more radical methods and cause more serious damage.
At the end of October, security Joes disclosed the BiBi-Linux data destruction software (Wiper) that was targeted at Israeli organizations. It was suspected to be the work of Hamas hackers and specifically targeted Linux hosts. The BiBi string most likely refers to the Israeli Prime Minister. Benjamin Netanyahu’s nickname; thenhttps://twitter.com/ESETresearch/status/1719437301900595444which can attack Windows computers and servers. The attacker is a Hamas hacker named BiBiGun. The Israeli Computer Emergency Response Team (IL-CERT) also issued a warning and provided YARA signatures to allow enterprise organizations to detect related attacks. , now, some researchers have announced further findings.
Malicious programs targeting Windows computers appear
Information security industry BlackBerry pointed out that the Windows version of the data destruction software BiBi-Windows was produced on October 21 and compiled by Microsoft Visual Studio 2019. It is a 64-bit executable file with a size of only 203 KB. Once a computer is infected, this data destruction software will first check the computer’s processor architecture and the number of execution threads. In order to destroy data as quickly as possible, this malicious program usually uses 12 execution threads and occupies 8 processor cores. It also destroys files other than EXE, DLL, and SYS, deletes the backup data of the volume shadow copy service (Volume Shadow Copy), and disables the Windows restore function.
As for the way to destroy files, the above-mentioned data destruction software will write random files to do so, making the files unusable and irrecoverable. Furthermore, the damaged files will be renamed to a file name composed of 10 random characters and matched with file extensions from BiBi1 to BiBi5. Researchers pointed out that the reason why hackers eliminate the destruction of the above three types of files is to maintain the normal operation of the computer’s operating system so that the work of destroying data can be completed.
In order to allow the attack process to proceed smoothly, these hackers also abused the built-in module Restart Manager of the Windows operating system and the program library named Rstrtmgr.dll.
The purpose of using Restart Manager is most likely to force the data to be unlocked and then destroyed. This attack method has appeared before. In 2020, VMware’s threat protection team pointed out that the ransomware Conti used the above method to encrypt the data. to the locked file. (Editor’s note: How attackers abuse this tool can be found in the instructions from the security industry CrowdStrike)
In order to avoid detection, all command contents launched by the attacker are stored in right-to-left (RTL) order, which may evade the signatures of some anti-virus software. But how do hackers distribute this data to damage software? Researchers say they still don’t know.
Researchers first see Linux malware campaign
This is not the first data-destroying software attack targeting Israel following the Israeli conflict. While assisting in the investigation of Israeli corporate organizations, the incident response team of security Joes discovered a data destruction software called BiBi-Linux, which was apparently targeted at corporate organizations in the country and was suspected to be operated by hackers affiliated with Hamas. Created with the intention of causing chaos in the war.
Researchers pointed out that what is special about this data destruction software is that it does not connect to the C2, does not leak the victim organization’s information, and does not leave any blackmail messages threatening payment.
Instead, this data destruction software overwrites files with useless data, making it difficult to recover the data and even affecting the entire operating system. Moreover, the program uses multiple processes and is executed through the scheduling system, ultimately being destroyed. The file will contain the BiBi string extension. The purpose of hackers doing this is obviously to maximize the efficiency of sabotage operations.
Similar to the Windows version of BiBi-Windows, hackers will also exclude .out and .so files. The reason is that the Linux version of the data destruction program bibi-linux.out and nohup.out files are required for the operation of the Linux operating system. so program library.
It is worth noting that when the researchers announced this malicious program, only two anti-virus engines on the malware analysis website VirusTotal considered it harmful.
As for the identity of the attacker, the researchers later further revealed the results of the investigation. The hacker who launched the above-mentioned data destruction attack has set up a Telegram channel named Karma since October 7 with the slogan “Bibi will shatter our dream of turning” 80″, which is most likely related to Israel’s upcoming 80th anniversary in 2028. These hackers attempted to disguise themselves as Israeli organizations in an attempt to spread false information related to the country’s Prime Minister.
According to the evidence obtained by researchers, it is believed that the hacker who launched the attack is related to the Iranian hacker organization Moses Staff.