Bibi

Malware Profile Updated 12 days ago

Download STIX

Preview STIX

BiBi is a potent malware that has been deployed by a Pro-Hamas hacktivist group against Israeli targets. It's particularly destructive as it's designed to wipe data from the systems it infiltrates, causing direct damage and disruption. The use of this custom BiBi wiper in their operations underscores the group's intent to not only inflict tangible harm but also convey a politically charged message. This malware typically operates under the guise of suspicious downloads, emails, or websites, infiltrating systems often without the user's knowledge. This malware exhibits unique characteristics in its Windows variant. Once inside a system, it wipes files and leaves a distinct mark by changing the extension of the wiped files to ".BiBi". This alteration serves as an identifier of the malware's activity and possibly as a taunting signature from the hackers. It's worth noting that this act of file wiping can lead to substantial data loss and operational disruptions, heightening the severity of the attack. Interestingly, the BiBi Wiper seems to avoid infecting files with the extensions ".out" and ".so". This selective behavior likely stems from the malware's reliance on files with these extensions, such as "bibi-linux.out", and other libraries essential for the operating system. By preserving these files, the malware ensures the continuous operation of the infected system, thereby maintaining its presence and potential for further damage.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Bibi Wiper	2	The BiBi wiper is a malicious software (malware) utilized by the hacking group Void Manticore, with its name referencing the nickname of Israel's Prime Minister, Benjamin Netanyahu. The malware was first reported in late 2023 during attacks against Albania, where it was used to wipe data from comput

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Linux

Wiper

Malware

Windows

Ransom

Hackread

Hamas

Israeli

Israel

Azure

Payload

Encrypt

Encryption

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Malware Wiper	Unspecified	1	Malware wiper is a malicious software designed to delete all files on the infected system, causing significant damage and losses. This type of malware has been increasingly used in targeted attacks over the past year. Notably, the Russia-affiliated advanced persistent threat (APT) group, Sandworm, h

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Cobalt Sapling	Unspecified	1	Cobalt Sapling, an Iranian threat actor, has recently been identified as a significant cybersecurity risk. This entity was spotted targeting Saudi Arabia with a new persona called "Abraham's Ax," according to recent news reports. The threat actor is known for its malicious activities, which can rang
Moses Staff	Unspecified	1	Moses Staff, an Iranian Advanced Persistent Threat (APT) group, has emerged as a significant cybersecurity threat. The Cybereason Nocturnus Team has been monitoring the activities of this group since 2021, and it has been linked to several major ransomware-style attacks. Initially categorized as hac
Firefly	Unspecified	1	Firefly, a threat actor linked to China along with Fireant and Neeedleminer, has been implicated in cybersecurity breaches targeting telecommunications companies in at least two Asian nations. This information was revealed in an analysis published by Broadcom's Symantec cybersecurity division. These
Scarred Manticore	Unspecified	1	Scarred Manticore is a threat actor known for its malicious cyber activities, which have been observed in Albania in 2022 and Israel from 2023 to 2024. The group uses sophisticated techniques including a web shell-based version of the LIONTAIL shellcode loader and .NET payloads obfuscated similarly

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2019-0604	Unspecified	1	None

Source Document References

Information about the Bibi Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securityaffairs	6 days ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	6 days ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	12 days ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	20 days ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	a month ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	a month ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	a month ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Checkpoint	2 months ago	Bad Karma, No Justice: Void Manticore Destructive Activities in Israel - Check Point Research
Securityaffairs	3 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	4 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	4 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs	4 months ago	Security Affairs newsletter Round 463 by Pierluigi Paganini
CERT-EU	4 months ago	Phone hacking has become too easy, PTA chief tells IHC - Pakistan \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Securityaffairs	5 months ago	Security Affairs newsletter Round 462 by Pierluigi Paganini
CERT-EU	5 months ago	Pakistan Student Sentenced To Death Over "Blasphemous" WhatsApp Messages: Report \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	5 months ago	New Linux Malware Alert: 'Spinning YARN' Hits Docker, other Key Apps