Israel cautions about BiBi wiper attacks targeting Linux and Windows.

The Windows version of the BiBi malware specifically targets and corrupts a wide range of file types, excluding .EXE, .DLL, and .SYS files. This strategic exclusion is likely due to the hacktivists' desire to maintain the computer's functionality, ensuring their message is conveyed effectively.

Once activated, BiBi overwrites the content of the targeted files with random bytes, rendering them unrecoverable. It then renames these files with a ten-character random letter sequence, followed by an alphanumeric extension that includes the "BiBi" string. For instance, a file named "document.txt" might be renamed to "asdzxcqwer.BiBi3" post-infection, complicating the recovery process by obscuring original filenames.

In addition to this, BiBi implements measures to thwart system restoration efforts. It deletes shadow copies, which are essentially system snapshots used for data and settings recovery. Furthermore, the malware disables the 'Error Recovery' mode during system boot and deactivates the 'Windows Recovery' feature, adding to the difficulty of system restoration.

The initial entry point for the BiBi infection remains unknown, according to BlackBerry's analysis.

In a recent comprehensive report, Security Joes delved deeper into the campaign orchestrated by the Karma hacktivist group, responsible for deploying the BiBi malware. The report identifies overlaps between Karma and other known Iranian hacktivist groups, such as 'Moses Staff,' notorious for ransom-less data encryption attacks.

For cybersecurity professionals and organizations looking to safeguard against the BiBi threat, YARA rules for detecting the two known variants of the BiBi wiper are available, along with hashes for the executables. These resources have been provided by SecurityJoes and BlackBerry [1, 2]. Additionally, Israel's CERT authority has released a set of identifiers [TXT, CVS] to help identify BiBi threat activities.