BiBi-Windows Cleaner Malware Targets Windows Systems
It is designed to overwrite data in the C:\Users directory
Cybersecurity researchers have warned about a Windows version of a cleanup malware that was previously observed targeting Linux systems in cyberattacks targeting Israel.
Dubbed BiBi-Windows Wiper by BlackBerry, the wiper malware is the Windows counterpart to BiBi-Linux Wiper , which has been used by a pro-Hamas hacktivist group in the wake of the war between Israel and Hamas last month. .
“The Windows variant confirms that the threat actors who created the cleaner continue to develop the malware and indicates an expansion of the attack to target end-user machines and application servers,” the Canadian company said on Friday .
The Slovak cybersecurity firm is tracking down the actor behind the cleaner under the name BiBiGun, noting that the Windows variant (bibi.exe) is designed to recursively overwrite data in the C:\Users directory with junk data and add .BiBi to the file name.
The BiBi-Windows Wiper artifact is said to have been compiled on October 21, 2023, two weeks after the start of the war. The exact method by which it is distributed is currently unknown.
In addition to damaging all files except those with .exe, .dll, and .sys extensions, the cleaner deletes system shadow copies, effectively preventing victims from recovering their files.
Another notable similarity to its Linux variant is its multi-threading capability.
“To achieve the fastest possible destruction action, the malware runs 12 threads with eight processor cores,” said Dmitry Bestuzhev , senior director of cyber threat intelligence at BlackBerry.
It is not immediately clear whether the cleaner has been used in real-world attacks and, if so, who the targets are.
The development comes as Security Joes, which first documented BiBi-Linux Wiper, said the malware is part of a “larger campaign targeting Israeli companies with the deliberate intention of disrupting their daily operations by destroying data.”
The cybersecurity firm said it identified tactical overlaps between the hacktivist group, which calls itself Karma, and another geopolitically motivated actor codenamed Moses Staff (also known as Cobalt Sapling), who is suspected of being of Iranian origin.
“Although the campaign to this point has primarily focused on Israel’s government and IT sectors, some of the participating groups, such as Moses Staff, have a history of simultaneously attacking organizations in multiple business sectors and geographic locations,” Security Joes said.