Cybersecurity experts have warned about a version of a “wiper” malware, this time for Windows, called Bibi-Windows Wiper which had previously been observed targeting Linux systems in cyberattacks directed at Israel.

Where did Bibi-Windows Wiper come from and who was it created by

Called BiBi-Windows Wiper by BlackBerry, the wiper represents the Windows counterpart of BiBi-Linux Wiper, which had been used by a group of pro-Hamas hacktivists following last month’s war between Israel and Hamas.

“The Windows edition […] confirms that the attackers who created the wiper they are continuing to develop the malware and indicates a broadening of the attack to target end-user machines and application servers“, has declared the Canadian company last Friday.

Eset, the well-known Slovakian cybersecurity company has following traces of who is behind the wiper variant with the name BiBiGun, and noted that the Windows variant (bibi.exe) is designed to recursively overwrite data in the C:Users directory with invalid data and appends .BiBi to the file name.

The BiBi-Windows Wiper object is believed to have been compiled on October 21, 2023, two weeks after the start of the war; The precise method of distribution of the malware is currently unknown.

In addition to corrupting all files except those with .exe, .dll and .sys extensions, The wiper erases shadow copies from the system, effectively preventing victims from recovering their files.

Another notable similarity to its Linux counterpart is its multithreading capability, i.e. the hardware support by a processor to execute multiple threads, i.e. a subdivision of a process into two or more threads (instances) or sub-processes which are executed concurrently by a processing system (computer, smartphone, etc.), to make it brief.

“For the quickest possible destruction, the malware runs 12 threads with eight processor cores“, has declared Dmitry Bestuzhev, senior director of cyber threat intelligence at BlackBerry.

It was not clear whether at first the wiper has been used in real attacks and, if so, who the targets are.

This discovery comes after Security Joes, who first has documented BiBi-Linux Wiper, stated that the malware is part of a “broader campaign targeting Israeli companies with the deliberate intent of disrupt their daily operations through data destruction.”

The cybersecurity firm said it had identified tactical overlaps between the hacktivist group, which calls itself Karmaand another geopolitically motivated cybercriminal named Moses Staff (aka Cobalt Sapling), suspected of having Iranian origins.

“While the campaign has primarily focused on the Israeli IT and government sectors up to this point, some of the participating groups, such as Moses Staffhave a history of simultaneously targeting organizations across various business sectors and geographic locations“Security Joes said.

Conclusion

The discovery of Bibi-Windows Wiper highlights the evolution of cyber threats and the continuous adaptation of cybercriminals and the fact that a wiper malware previously observed in targeted attacks on Linux systems is now available for Windows demonstrates how malware (through the human hand) can “evolve”.

It is important for organizations and end users to maintain robust cybersecurity measures and remain vigilant against these constantly evolving threats; Cooperation between cybersecurity companies and security agencies is essential to effectively address such threats and protect digital infrastructure.