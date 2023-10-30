A group of pro-Hamas activist hackers uses a new malware, called Wiper based on Linux called BiBi-Linux Wipertargeting Israeli entities amid the ongoing war between Israel and Hamas.

What we know about the Wiper malware

“This malware [wiper] is an x64 ELF executable, with no obfuscation or protective measures“, has stated Security Joes in a new report released today. “It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions.”

Some of the other features of this malware include the multithreading to corrupt files at once to improve their speed and range, overwrite files, rename them with an extension containing the hardcoded string “BiBi” (in the format “[RANDOM_NAME].BiBi[NUMERO]”) and excluding certain types of files from being damaged.

“Although the string “bibi” (in the file name) may seem random, has a significant impact when mixed with topics such as Middle East politicsas it is a common nickname used for the Israeli Prime Minister, Benjamin Netanyahu,” the cybersecurity firm added.

The destructive malware, programmed in C/C++ language and with a file size of 1.2 MB, allows unknown authors (hackers) to specify target folders via Command line parameters on Linux terminal, defaulting to the root directory (“/”) if no path is provided. However, performing the action at this level requires root permissions.

Another noteworthy aspect of BiBi-Linux Wiper is the use of command nohup (a well-known command in the Unix environment) during execution so as to run it unhindered in the background, this means that some of the file types that are not overwritten they are those with a .out or .so extension.

“This is because the threat [BiBi-Linux Wiper] relies on files like bibi-linux.out and nohup.out for its operation, along with shared libraries essential for the Unix/Linux operating system (.so files)“, the company said.

The development of the story comes when Sekoia has revealed that the suspicion Hamas-affiliated group known as Arid Viper (probably also known by the names APT-C-23, Desert Falcon, Gaza Cyber ​​Gang and Molerats) is probably organized into two subgroups, with each cluster focused on espionage activities cyber against Israel and Palestine respectively.

“Targeting individuals [singoli individui] it is a common practice of [del gruppo] Arid Viper“said SentinelOne researchers Tom Hegel and Aleksandar Milenkoski in aanalyses published last week, adding “This includes high-profile Palestinian and Israeli pre-selected targets, as well as broader groups, typically coming from critical sectors such as government and defense organizations, law enforcement agencies and political parties or movements“.

The series of attacks orchestrated by the Arid Viper group includes, social engineering and phishing attacks as initial intrusion vectors to distribute a wide variety of malware customized to spy on victims; this includes Micropsia, PyMicropsia, Arid Gopher, and BarbWire, and a new undocumented backdoor called Rusty Viper written in Rust.

“Collectively, Arid Viper’s arsenal offers several spying features such as recording audio with microphone, detecting inserted flash drives and extracting files from them, and stealing saved browser credentialsto name just a few“, ESET published in one of its relationship earlier this month.

Conclusion

Linux operating systems are historically more robust than Windows, this however, as the BiBi-Linux Wiper case points out, does not mean that they are invulnerable, therefore governments must also strengthen cybersecurity on Linux operating systems; This is just the umpteenth demonstration that the famous “adage” that says “put Linux and you won’t get viruses” is absolutely not true.