BiBi-Windows Wiper Malware Used Against Israel

Security researchers have issued a warning regarding a Windows version of a wiper malware that had previously targeted Linux systems in cyber attacks against Israel.

Named BiBi-Windows Wiper by BlackBerry, this Windows counterpart of BiBi-Linux Wiper, utilized by a pro-Hamas hacktivist group post the Israel-Hamas war, suggests an ongoing development of the malware by the threat actors. This Windows variant signifies an expansion of the attack to encompass end-user machines and application servers. The Canadian company disclosed this information on Friday.

A Slovak cybersecurity firm, tracking the actor behind the wiper as BiBiGun, identified the Windows variant (bibi.exe) as designed to recursively overwrite data in the C:\Users directory with junk data, appending .BiBi to the filename. Compiled on October 21, 2023, two weeks after the war began, the distribution method remains unknown at present.

The BiBi-Windows Wiper corrupts all files, excluding those with .exe, .dll, and .sys extensions. Additionally, it deletes shadow copies from the system, preventing victims from file recovery. Similar to its Linux counterpart, the Windows variant demonstrates multithreading capability. The artifact's deployment in real-world attacks and its specific targets remain unclear at the moment.

How is Wiper Malware Different from Ransomware?

Wiper malware and ransomware are both types of malicious software designed to cause harm to computer systems, but they differ in their primary objectives and functionalities:

Objective:

• Wiper Malware: The main goal of wiper malware is to destroy or wipe out data on a targeted system. Its purpose is to cause disruption, damage, or sabotage rather than to extort money.
• Ransomware: Ransomware, on the other hand, aims to encrypt files on a victim's system and then demands a ransom (usually in cryptocurrency) from the victim in exchange for the decryption key. The primary motive is financial gain.

Data Handling:

• Wiper Malware: Wiper malware irreversibly destroys or corrupts data, making it inaccessible and often rendering the system inoperable.
• Ransomware: Ransomware encrypts data, making it inaccessible, but the data can potentially be restored if the victim pays the ransom and obtains the decryption key.

Communication with Victims:

• Wiper Malware: Wiper malware typically does not communicate with the victim. Once activated, it carries out its destructive actions without any negotiation or demands.
• Ransomware: Ransomware communicates with the victim, displaying ransom notes that provide instructions on how to pay the ransom and receive the decryption key.

Recovery:

• Wiper Malware: Recovery from wiper malware attacks can be challenging or even impossible, as the data is permanently damaged or destroyed.
• Ransomware: While paying the ransom is not recommended, some victims choose to pay to obtain the decryption key, potentially restoring their files. However, this doesn't guarantee the recovery of all data, and it may encourage further criminal activity.