BiBi Windows Wiper Analysis
BiBi-Windows-Wiper-Analysis
On 30th October, Security Joes posted its findings about a Wiper malware for Linux systems used in the war in Gaza. It was called the “BiBi-Linux Wiper”. And then on November 1 2023, BlackBerry Research and Intelligence Team found its Windows variant.
In this post, we will look at the Windows version of the BiBi Wiper known as the “BiBi-Windows Wiper”
Malware Sample
MD5: e26bba0304f14ef96beb60376791d32c
SHA256: 40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17
Static Analysis
-
The timestamp suggests the implant was compiled on Saturday, October 21, 2023, and it’s a 64-bit one.
-
Below are some intresting strings found in the binary file.
[+] Stats: %d | %d [!] Waiting For Queue [+] Round %d lla/ teIuq/ swodahs eteled nimdassv c/ exe.dmc eteled ypocwodahs cimw c/ exe.dmc seruliafllaerongi ycilopsutatstoob }tluafed{ tes / tidedcb c / exe.dmc on delbaneyrevocer }tluafed{ tes/ tidedcb c/ exe.dmc C:\Users [+] Path: %s [+] CPU cores: %d, Threads: %d .exe .dll .sys .BiBi
Dynamic Analysis
-
Upon execution, the BiBi-Windows Wiper checks to see if any arguments have been passed to the BiBi Wiper to destroy the directory, If no argument is provided then it performs the following actions.
-
Wiper fetches the number of processors, calculates the threads accordingly using
GetNativeSystemInfo()
and prints the target directories and thread information on the console. -
Then it reads the hardcoded path: “C:\Users”.
-
After that it Iterates through the A-Z (26) disk drives using
GetLogicalDrives()
, where the return result is the bitmask. It next does a bittest with the received bitmask to determine the system’s accessible drives and appends “:” to the drive name. -
Then, except for the C drive, it calls the
GetDriveTypeA()
function, which returns the drive type. The BiBi-Windows Wiper exclusively targets the following drive types:DRIVE_FIXED
DRIVE_REMOVABLE
DRIVE_RAMDISK
-
Further, it creates a new thread that reads the commands stored in reverse and then creates a new process using
CreateProcessA()
to execute those commands. -
Following are the commands executed by Bibi Wiper.
cmd.exe /c bcdedit /set {default} recoveryenabled no
- Disables Windows Recovery Environment
cmd.exe / c bcdedit / set {default} bootstatuspolicy ignoreallfailures
- Force the system to boot normally rather than into the Windows Recovery Environment
cmd.exe /c wmic shadowcopy delete
- Delete Volume Shadow Copies using WMIC
cmd.exe /c vssadmin delete shadows /quIet /all
- Delete Volume Shadow Copies using VssAdmin
-
After identifying accessible drives and their types, BiBi-Windows Wiper takes additional steps by creating a separate thread to execute the main wiping routines. These routines require two arguments: the path of the directory to be destroyed (either provided by the operator or retrieved earlier) and the specified number of threads.
-
The wiper then enters an infinite loop where the counter corresponds to the round number, printing “[+] Round %d\n” for each iteration. This indicates that once initiated, the Wiper continuously destroys data in an infinite loop.
-
To optimize the process, the wiper creates multiple threads based on the specified number, executing the main wiping function within a loop. Notably, the BiBi-Windows Wiper is designed to exclude files with “.exe,” “.dll,” and “.sys” extensions from its destructive actions.
-
The Wiper function implements the Mersenne Twister PseudoRandom Number Generator Algorithm which generates random numbers. Then Wiper changes the name of the destroyed files using the Mersenne Twister function again. The generated random number undergoes a modulus operation with a hardcoded value, creating an index in a wide string. This index is then used to form a unique filename, appended with “.BiBi” and the round number.
v2 = 624i64; v3 = *a1; if ( v3 == 624 ) { v4 = a1 + 2; do { v5 = *v4 ^ *(v4 - 1); ++v4; v4[622] = ((*(v4 - 2) ^ v5 & 0x7FFFFFFFu) >> 1) ^ v4[395] ^ (((*((_BYTE *)v4 - 8) ^ (unsigned __int8)v5) & 1) != 0 ? 0x9908B0DF : 0); --v2; } while ( v2 ); v3 = *a1; } else if ( v3 >= 0x4E0 ) { v6 = a1 + 625; v7 = a1[625]; v8 = 227i64; do { v9 = v7 ^ (v7 ^ v6[1]) & 0x7FFFFFFF; v7 = v6[1]; *(v6 - 624) = (v9 >> 1) ^ v6[397] ^ ((v6[1] & 1) != 0 ? 0x9908B0DF : 0); ++v6; --v8; } while ( v8 ); v10 = a1 + 852; v11 = 396i64; v12 = a1[852]; do { v13 = v12 ^ (v10[1] ^ v12) & 0x7FFFFFFF; v12 = v10[1]; *(v10 - 624) = (v13 >> 1) ^ *(v10 - 851) ^ ((v10[1] & 1) != 0 ? 0x9908B0DF : 0); ++v10; --v11; } while ( v11 ); a1[624] = ((a1[1248] ^ (a1[1] ^ a1[1248]) & 0x7FFFFFFF) >> 1) ^ a1[397] ^ ((a1[1] & 1) != 0 ? 0x9908B0DF : 0); v3 = 0; *a1 = 0; } v14 = a1[v3 + 1]; *a1 = v3 + 1; v15 = ((((v14 >> 11) & a1[1249] ^ v14) & 0xFF3A58AD) << 7) ^ (v14 >> 11) & a1[1249] ^ v14; return ((v15 & 0xFFFFDF8C) << 15) ^ v15 ^ ((((v15 & 0xFFFFDF8C) << 15) ^ v15) >> 18); }
-
Below output shows the Target directory, CPU Cores, Threads, Round Number, Stats, and destroyed file with .BiBi extension.
YARA Rule
rule BIBI_Wiper_Windows {
meta:
description ="BiBi-Windows Wiper used in the Gaza War"
author ="The BlackBerry Research and Intelligence Team"
date = "2023-10-31"
hash ="40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17"
version = "1.0"
strings:
$a1 = "[+] Stats: " ascii wide
$a2 = "C:\\Users" ascii wide
$a3 = "[!] Waiting For Queue " ascii wide
$a4 = "[+] Round " ascii wide
$a5 = "[+] Path: " ascii wide
$a6 = "[+] CPU cores: " ascii wide
condition:
uint16(0) == 0x5a4d and ((filesize < 2000KB) and all of ($a*))
}