Executive Summary
On October 7th, 2023, a war broke out between Israel and Hamas-ISIS. During the war, a pro-Hamas hacker group attacked Israeli companies with the ‘BiBi’ wiper, corrupting and disrupting their operating systems without demanding a ransom and stealing files or information from the systems.
Malware known as “Wiper” is designed to erase and corrupt data on targeted systems. Unlike other types of malware that aim to steal or spy on data, wiper malware is specifically created to cause damage, often making the affected data or system impossible to recover.
In this report, I will analyze the BiBi-Windows-based wiper and examine its characteristics, attack vectors, and methods for detecting it.
Technical Details
File Name: bibi.exe
File Type: Executable
Architecture: PE32+ (64-bit)
Size: 203KB
MD5: e26bba0304f14ef96beb60376791d32c
SHA256: 40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17
Wiper Execution Diagram
Static Analysis
In this analysis section, I will analyze and provide valuable insights into the characteristics and behavior of the wiper without executing the code.
The wiper was compiled with Microsoft Visual Studio and was likely coded in either C or C++ programming languages. Additionally, the wiper is a 64-bit executable.
Compilation Time
The wiper was compiled on October 22nd, 2023.
Strings
The following strings seem to be related to the C++ programming language. These strings are often associated with the internals of C++ classes and their runtime representations.
The wiper collects information about the date and time of the system.
The wiper execution produces system information related to system paths, processor cores, threads, rounds, and stats.
During its operation, the wiper carries out four commands in the operating system.
The malware author executes specific commands to remove shadow copies, which can make it difficult to restore data from backups.
cmd.exe /c vssadmin delete shadows /quIet /all
cmd.exe /c wmic shadowcopy delete
The malware author executes the following command to prevent the system from entering recovery mode.
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
The malware author then executes a particular command in order to disable any automatic recovery actions.
cmd.exe /c bcdedit /set {default} recoveryenabled no
While executing the wiper, it renames the files to .BiBi extension and disrupts the file system.
The following string appears that it could be indicative of spyware or a keylogger.
Wiper DLL Usage
The wiper runs a DLL file during execution:
Malware Resources
The malware author uses a legitimate Microsoft manifest file to evade detection by security products.
Dissecting the Wiper
In its initial execution, the malware collects information about the system’s disk drives using the ‘GetLogicalDrives’ API function.Malware uses this function to detect disk drives on systems and attempt to spread itself across these drives.
After gathering information about the disk drives on the system, the malware uses the ‘GetDriveTypeA’ API function to determine the type of each drive, such as removable, CD-ROM, network, etc.
The malware uses the ‘GetNativeSystemInfo’ API function to determine the processor architecture of the system and whether it is a 32-bit or 64-bit processor.
Then, the wiper takes the number of processors of the system, moves the value to the eax register, and displays the value in the command prompt in the initial execution.
The malware loads the rstrtmgr.dll DLL file using the LoadLibraryA API function. If the DLL loads successfully, the GetProcAddress function will get the DLL’s RmStartSession address.
The screenshot below demonstrates how the operation in Figure 15 is executed dynamically:
When the malware finishes gathering information, it corrupts files in the C:\Users directory and collects CPU and thread data from the system.
A threat actor can execute the BiBi wiper by double-clicking on the executable, and by default, the executable will start corrupting the files inside of the C:\Users path.
On the other hand, a threat actor can execute the wiper via the command line and specify a specific path.
Wiper execution via the command line and specifying a specific path:
The malware uses the ‘Sleep’ API function to delay thread execution. This function is often employed for time-based evasion by adding delays in the code.
Using the ‘CreateProcessA’ API function, four command prompts are opened to execute specific commands.
cmd.exe /c vssadmin delete shadows /quIet /all
cmd.exe /c wmic shadowcopy delete
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
cmd.exe /c bcdedit /set {default} recoveryenabled no
The following commands executed can be viewed from the created cmd processes.
After the execution of the commands, the wiper malware begins the corruption action in the file system. The malware begins by utilizing the ‘CreateFileW’ API function to open files. It sets the ‘dwCreationDisposition’ parameter to the value of ‘3’, which corresponds to ‘OPEN_EXISTING.’ This action allows the malware to determine whether the file exists in the file system or not.
The malware uses the ‘WriteFile’ API function to rewrite data to files in the file system. It handles the files using the ‘hFile’ handle. If the write operation fails, the malware takes action at the ‘loc_140017C5E’ memory location. The data written in the ‘lpBuffer’ pointer is what the malware writes when it handles a file.
The Wiper malware uses the ‘FindFirstFileExA’ API function to search for files, directories, and sub-directories. The starting point for the search is the path that the threat actor specified during the execution of the Wiper, or it defaults to the ‘C:\Users’ path inside the ‘lpFileName’ pointer.
Then, the malware continues the search progress with the ‘FindNextFileW’ function.
During the corruption of the files in the file system, the wiper changes their extension to ‘.BiBi1’.
Conclusion
A pro-Hamas hacker group attacked Israeli companies during the war between Israel and Hamas-ISIS.
The malware’s purpose was to destroy and corrupt the files in the operating system of the target without demanding any ransom.
The Wiper was moving between files in the file system of the target and writing gibberish content to corrupt the files, change their name to a random name, and extension to ‘BiBi’ to know the files were corrupted and unrecoverable.
The behind-the-scenes wiper attack is more political and less technical because the malware is very basic, poorly written, and very easy to detect. The pro-Hamas hacker group only turned to Israeli companies because of the war. This can be understood with the name of the malware and the name of the extension BiBi (Prime Minister of Israel).
Indicator of Compromise (IoCs)
1. BiBi.exe
2. e26bba0304f14ef96beb60376791d32c
3. [Random].BiBi[Random]