The BiBi wiper is a malicious software (malware) utilized by the hacking group Void Manticore, with its name referencing the nickname of Israel's Prime Minister, Benjamin Netanyahu. The malware was first reported in late 2023 during attacks against Albania, where it was used to wipe data from computer systems. The malware has since been deployed in further attacks throughout 2023 and into 2024, notably against targets in Israel. The wiper can receive command-line parameters such as the target path, which is "/" by default, and interestingly, it does not infect files with the extensions ".out" and ".so", likely because it relies on these files for its operation.
The Void Manticore group initially gained access to their targets through another actor, Storm-0861, also known as Scarred Manticore. This actor exploited vulnerabilities (CVE-2019-0604) to gain initial access and used tools such as Foxshell and Liontail to maintain presence over a year. Their primary objective was email exfiltration. Once inside, Void Manticore deployed the BiBi wiper, along with other ransomware, causing significant damage and disruption. The group also leaked information under the persona "Homeland Justice Karma".
The deployment of the custom BiBi wiper in attacks against Israeli targets indicates an intent to cause direct damage and send a politically charged message. In November 2023, a new version of the BiBi Wiper was discovered that targeted both Linux and Windows devices. It is believed to have been created by pro-Hamas hacktivists and was initially used to target Israeli firms' Linux systems amid the ongoing conflict between Israel and Hamas. By late 2023, operators of the BiBi wiper had developed a version of the payload aimed at Windows systems, further expanding the potential reach of their attacks.
Description last updated: 2024-05-20T11:16:26.763Z