Pro-Hamas Hacktivists Target Israeli Entities with Wiper Malware

Oct 30, 2023NewsroomCyber ​​War / Malware

Wiper Malware

A pro-Hamas hacktivist group has been observed using a new Linux-based wiper malware dubbed BiBi-Linux Wipertargeting Israeli entities amid the ongoing Israel-Hamas war.

“This malware is an x64 ELF executable, lacking obfuscation or protection measures,” Security Joes SAYS in a new report published today. “This allows attackers to identify target folders and potentially crash an entire operating system when run with root permissions.”

Some of its capabilities include multithreading to damage files simultaneously to increase their speed and reach, overwrite files, rename them with an extension containing the hard-coded string “BiBi” (in the format “(RANDOM_NAME ).BiBi(NUMBER)”), and exclude certain file types from becoming corrupt.


“While the string “bibi” (in the filename), may appear random, it has significant meaning when mixed with topics such as Middle East politics, since it is a common nickname used for the Prime Minister of Israel, Benjamin Netanyahu,” the cybersecurity company added.

The malicious malware, coded in C/C++ and carrying a file size of 1.2 MB, allows the threat actor to specify target folders through command-line parameters, through default selection for the root directory (” if no path is given. However, performing action at this level requires root permissions.

Another unique aspect of BiBi-Linux Wiper is its use in ordered during execution to run it unobstructed in the background. Some of the file types that are not overwritten are those with the extensions .out or .so.

“This is because the threat relies on files like bibi-linux.out and nohup.out for its operation, along with shared libraries essential to Unix/Linux OS (.so files),” the company said.

Progress comes as Sekoia Revelation that the suspected Hamas-affiliated threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, Gaza Cyber ​​Gang, and Molerats) is likely organized as two sub-groups, with each cluster focused on cyber espionage activities against Israel and Palestine, respectively.

“Targeting individuals is a common practice of the Arid Viper,” SentinelOne researchers Tom Hegel and Aleksandar Milenkoski SAYS in an analysis released last week.


“This includes pre-selected Palestinian and Israeli high-profile targets as well as broader groups, often from critical sectors such as defense and government organizations, law enforcement, and political parties or movements.”

The attack chains orchestrated by the group included social engineering and phishing attacks as initial intrusion vectors to deploy various custom malware to spy on its victims. It includes Micropsia, PyMicropsia, Arid Gopher, and BarbWire, and a new undocumented backdoor called Rusty Viper written in Rust.

“In general, the Arsenal of Arid Viper provides various surveillance capabilities such as recording audio with a microphone, detecting an inserted flash drive and exfiltrating files from it, and stealing saved browser credentials, to name just a few,” ESET THE audience earlier this month.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment