Sommario

Introduction................................................................................................................................................................ 3
Static analysis and malware assessment ......................................................................................................... 4
Dynamic analysis and second malware assessment ................................................................................ 15
Debugging ............................................................................................................................................................... 38
IOCs: ........................................................................................................................................................................... 49
YARA Rule ................................................................................................................................................................ 49
CONCLUSIONS:...................................................................................................................................................... 50
References: .......................................................................................................................................................... 50
Introduction

BiBi Wiper is a “destructive” malware used in the Israel-Hamas conflict by activists of the Sunni
terrorist group. As of 30 October 2023, the threat has also been infecting Unix operating
systems, although a more widely used variant is also Windows, which is analyzed in this article.

The artefact, similar to what happened during the Russian-Ukrainian war, was used as a hybrid
warfare tool to carry out destructive actions against Israel's critical infrastructures, effectively
contributing to Hamas's military and strategic offensive. The threat, by performing an
overwriting and “locking” phase of the files (but without demanding a ransom), places BiBi
Wiper in a different condition from a ransomware threat. The only objective of the wiper is to
make the data of target systems inaccessible and unusable. [0]
Static analysis and malware assessment

The analyzed sample has the hash e26bba0304f14ef96beb60376791d32c and was

developed in C++.
In the .rsrc section (which contains the details of the manifest metadata file and other
resources) we can see an execution setting of “asInvoker”, so the threat is launched with the
same privileges and security permissions as the parent process.

The functions imported via the KERNEL32.dll library refer to enumeration drives, creation and
opening of processes, and calling up external libraries via LoadLibraryA:
Threads management functions are used to manage competitive executions:

Following are file enumerations loops and file attributes, as well as pointing using the
SetFilePointerEx function. The latter is widely used by threats with external file referencing
functionality as it allows more granular and specific management of the pointing location.
Files are renamed with the extension .BiBi after they have been made inaccessible through an
overwriting process:

Details of the performance counter and execution frequency of CPU components are also
obtained, and this information can allow a threat to identify a possible virtualized environment,
such as virtual machines or sandboxes:

Note the debugger checking function IsDebuggerPresent, which avoids monitoring and
tracking the execution of the process itself through breakpoints and code browsing tools:
The pointer values used are encoded by calling the EncodePointer function. Pointers make it
possible to refer to further variables and objects within executed functions, in which case there
is no precise knowledge of the values and attributes referred to as they are encoded.

In a concurrential context the files are read:

Here are the details of the sections of the Portable Executable in question. The main section
appears to be .text, which contains the instructions directly executed by the CPU.
Here the details of concurrential objects and resource management, specifically
multithreading and semaphores. Semaphores objects allow the use of resources with exclusive
access, thus preventing simultaneous access by several processes to the same resource:
Below is evidence of the directory iterator phase, the .BiBi extension appended to files made
inaccessible, the identification of booting settings CMD commands in order to disable the
Windows Automatic Repair module and the checking of possible OS booting failures. The CMD
commands in question are in reversed form (written backwards) in the extractable strings.
Instances of Restart Manager are also used to manage the status and termination of the
process, and shadow copies are removed in order not to allow files to be restored easily:
Through a text reversing process, we obtained the following commands executed:
Sections of the malware don’t appear to possess packing peculiarities, so the threat actors did
not arrange for bytes confusing in order to make any static analysis of the artefact more
difficult. However, as we shall see later, some specific attributes of executed commands are in
a “text reversed” or encoded form.
Dynamic analysis and second malware
assessment

In the function sub_140005530, a new process is created with the booting modification CMD
commands (in text reversed form) as parameters:

We highlight the details of setting up the threads and execution attributes of the process itself:
Finally, the function CreateProcessA is called to create the process in question for executing
the above-mentioned commands:
Files and data are taken from the root folder C:\\Users
Next, the various types of system disks are enumerated and classified:
Attributes and parameters are collected to proceed with the infection chain phase, such as the
number of threads, CPU cores, path and execution statistics:
We have evidence of Restart Management with the attributes of CurrentProcessID:
At the following addresses in the .rdata section identifiable by 000000014002FE48, the file
looping functions getting, for example FindNextFileW, FindFirstFileExW and
GetFileInformationByHandleEx. The latter allows details of specific files to be obtained within
an iterative phase:

Further details within the .rdata section concerning performance counter querying, obtaining
local timestamps for environment execution awareness are given below.
Here are further references to the IsDebuggerPresent and EncodePointer functions:
The executable was compiled on 21 October 2023:

The most interesting indicators inherent in the sample refer mostly to file management,
environment and hardware information discovery, services management and execution, and
external function calling:
Additional attributes regarding the Portable Executable are listed here, including the file
signature:

In the sections of the artifact, the entropy coefficient values and the entrypoint (the initial
address of execution) of the .text section (CPU instructions) at address 0x0000AB10 are shown:
There are several functions that can be classified as attentionable: CreateProcessA,
OpenProcess, SwitchToThread, GetCurrentThreadId, GetNativeSystemInfo, FindFirstFileExW,
FindNextFileW, MoveFileExW and SetFileAttributesW.
Here are some strings of information and attributes gathering, as well as the extension
appended to the .BiBi files.
The debugger timestamp is also dated 21 October 2023:

Note the following evidence related to the PE assessment phase and the included sections,
including VirtualSizes (the size of the sections as they are mapped in memory):
Reference is made to the import of several main functions of drive enumeration, performance
counter information gathering and file pointing:
In the .text section, the use of the OR operator can be seen with the attribute QWORD PTR
[RIP + 0x263A7]. The logical OR operation is performed with the hexadecimal element
0xFFFFFFFFFFFFFFFF, which represents a read access violation error.
In the last page of the Portable Executable there are 90 bytes:
The Import Address Table (an element containing the addresses of imported external DLL
libraries) has a size of 320:

Here are the sizes of the sections:

The debugging timestamp is 22 October 2023:

The executable was compiled in DllCharacteristics 8160 (relating to the application of ASLR
and high entropy of the PE for the purpose of protection against exploits by making the
addresses of the called functions and fundamental memory portions used by the process itself
de facto random).
Various file management and external library import functions are contained in the
hexadecimal dump (WriteFile, LoadLibraryExW and GetFileType) of the Portable Executable:

Here is the resource of the manifest file, where execution privileges and security permissions
are revealed:
In the function fun_14000f4a4 we note the call of QueryPerformanceCounter in order to
monitor the utilization of the Performance Counter and detect a possible execution within a
virtualized environment:
Debugging

By making a debugging session, we can see the .BiBi extension added to files made
inaccessible and logging strings of multithreaded executions and Windows boot setting
commands:
Here is an example of a lea instruction that copies the hexadecimal value of the attribute
containing the shadow copy deletion command within the rdx register:
The OSINT classifications of the examined artefact refer to the signature
“Trojan/Win.BiBiWiper.C5541532”:
Here are the identifications of some IDS rules referring to ICMP and Ping operations:

Here is an example of malicious detonation that takes files and makes them accessible by
adding the .BiBi extension and a numeric reference attribute.
The screenshot below shows the handling of system attributes while obtaining the files to be
overwritten detected by the execution of a while loop:
The following file types are “skipped” during malware execution: .exe, .dll and .sys.
In the function sub_1400031F0 the iteration of the system directories is carried out, once the
files to be made inaccessible have been identified, they are partially overwritten with a random
pattern generated and inserted within the stream that can be highlighted in function
sub_1400048D0. After the overwriting action has been performed, the files taken in
consideration are renamed with the extension .BiBi and a specific digit.
Files are opened with the r+b configuration (read or write mode)

The mutex objects for the files in question are then put in lock status in order to allow exclusive
access to them, without interference from any external processes:
Here the handling of the random pattern contextual to the overwriting of enumerated files:
Note the action of renaming overwritten files:
IOCs:

• e26bba0304f14ef96beb60376791d32c
• 24f6785ca2e82d1d1d61f4cb01d5e753f80445cf
• 40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17
• .BiBi
• 2e 42 69 42 69

YARA Rule

rule BiBiRule

strings:

$strBiBi = ".BiBi"

$hexBiBi = { 2e 42 69 42 69 }

condition:

$strBiBi or $hexBiBi

}
CONCLUSIONS:

BiBi Wiper is a threat that follows the pattern of the wipers used in the context of the Russian-
Ukrainian conflict, such as HermeticWiper or IsaacWiper (developed and disseminated
immediately before Russia's de facto invasion on 24 February 2022).

In this specific case, however, there are some differentiating elements compared to the above-
mentioned threats: the data and files taken in consideration in the enumeration phase are
rendered inaccessible and overwritten by means of a random pattern. However, the analyzed
behaviour doesn’t belong to a ransomware classification, as no ransom is demanded for the
recovery of files by means of a ransom note created on infected machines. The threat's only
objective is to perpetrate its destructive action against the adversary's main critical
infrastructures, and it can be associated with the ever-present concept of hybrid warfare that
we have become familiar with due to the current delicate geopolitical situation.

A key feature of this concept is the fact that, even without military belligerence, devastating
results can still be achieved. Attention was also paid to managing resources and files
potentially in use by other external processes and to modifying Windows start-up settings, as
well as to eliminating shadow copies in order to maximize the threat's impact.

The growing and constant risk of an increasingly compromised and deteriorating geopolitical
situation leads one to assume that the development and distribution of such malware will
increase. These threats will be increasingly sophisticated, evasive and destructive.

References:
[0] (introduction to BiBi Wiper): BiBi Wiper Used in the Israel-Hamas War Now Runs on Windows
(blackberry.com)