亲哈马斯黑客的新恶意软件：BiBi-Linux Wiper

A pro-Hamas hacktivist group has been observed using a new Linux-based wiper malware dubbed BiBi-Linux Wiper, targeting Israeli entities amidst the ongoing Israeli-Hamas war.

一支亲哈马斯的黑客活动组织被观察到使用了一种名为BiBi-Linux Wiper的新Linux擦除恶意软件，瞄准以色列实体，正在进行的以色列-哈马斯战争中。

"This malware is an x64 ELF executable, lacking obfuscation or protective measures," Security Joes said in a new report published today. "It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions."

“这个恶意软件是一个x64 ELF可执行文件，缺乏混淆或保护措施”，安全乔斯在今天发布的一份新报告中说。“它允许攻击者指定目标文件夹，如果以根权限运行，可能会毁坏整个操作系统。”

Some of its other capabilities include multithreading to corrupt files concurrently to enhance its speed and reach, overwriting files, renaming them with an extension containing the hard-coded string "BiBi" (in the format "[RANDOM_NAME].BiBi[NUMBER]"), and excluding certain file types from being corrupted.

它的一些其他功能包括多线程并发地损坏文件以提高速度和范围，覆盖文件，用包含硬编码字符串“BiBi”的扩展名重命名它们（格式为“[RANDOM_NAME].BiBi[NUMBER]”），并排除某些文件类型免受损坏。

"While the string "bibi" (in the filename), may appear random, it holds significant meaning when mixed with topics such as politics in the Middle East, as it is a common nickname used for the Israeli Prime Minister, Benjamin Netanyahu," the cybersecurity company added.

“尽管文件名中的字符串“bibi”（在文件名中）可能看起来随机，但当与中东政治等话题混合在一起时，它具有重要意义，因为这是对以色列总理本杰明·内塔尼亚胡常用的绰号。”

The destructive malware, coded in C/C++ and carrying a file size of 1.2 MB, allows the threat actor to specify target folders via command-line parameters, by default opting for the root directory ("/") if no path is provided. However, performing the action at this level requires root permissions.

这种破坏性恶意软件是用C/C++编写的，文件大小为1.2 MB，允许威胁行为者通过命令行参数指定目标文件夹，如果没有提供路径，默认选择根目录（“/”），但在此级别执行该操作需要根权限。

Another notable aspect of BiBi-Linux Wiper is its use of the nohup command during execution so as to run it unimpeded in the background. Some of the file types that are skipped from being overwritten are those with the extensions .out or .so.

BiBi-Linux Wiper的另一个显着特点是在执行过程中使用nohup命令，以便在后台无阻运行。被跳过不被覆盖的一些文件类型包括扩展名为.out或.so的文件。

"This is because the threat relies on files such as bibi-linux.out and nohup.out for its operation, along with shared libraries essential to the Unix/Linux OS (.so files)," the company said.

“这是因为威胁依赖于文件，如bibi-linux.out和nohup.out以及对Unix/Linux操作系统至关重要的共享库（.so文件），”该公司说。

The development comes as Sekoia revealed that the suspected Hamas-affiliated threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, Gaza Cyber Gang, and Molerats) is likely organized as two sub-groups, with each cluster focused on cyber espionage activities against Israel and Palestine, respectively.

这一发展是因为Sekoia透露，疑似与哈马斯有关的威胁行为者，被称为沙漠蜥蜴（又名APT-C-23、Desert Falcon、Gaza Cyber Gang和Molerats），可能是两个子组织组织，每个集群专注于对以色列和巴勒斯坦的网络间谍活动。

"Targeting individuals is a common practice of Arid Viper," SentinelOne researchers Tom Hegel and Aleksandar Milenkoski said in an analysis released last week.

“瞄准个人是沙漠蜥蜴的常见做法，”SentinelOne的研究员汤姆·赫格尔和亚历山大·米伦科斯基在上周发布的分析中说。

"This includes pre-selected Palestinian and Israeli high-profile targets as well as broader groups, typically from critical sectors such as defense and government organizations, law enforcement, and political parties or movements."“

这包括预先选定的巴勒斯坦和以色列高调目标以及更广泛的群体，通常来自国防和政府组织，执法机构以及政党或运动等关键领域。”

Attack chains orchestrated by the group include social engineering and phishing attacks as initial intrusion vectors to deploy a wide variety of custom malware to spy on its victims. This comprises Micropsia, PyMicropsia, Arid Gopher, and BarbWire, and a new undocumented backdoor called Rusty Viper that's written in Rust.该组织制定的攻击链包括社交工程和钓鱼攻击作为初始入侵向量，以部署各种自定义恶意软件来监视其受害者。这包括Micropsia、PyMicropsia、Arid Gopher以及用Rust编写的新的未记录的后门Rusty Viper。”

"Collectively, Arid Viper's arsenal provides diverse spying capabilities such as recording audio with the microphone, detecting inserted flash drives and exfiltrating files from them, and stealing saved browser credentials, to name just a few," ESET noted earlier this month.“总体而言，沙漠蜥蜴的武库提供了各种监视能力，如使用麦克风录音，检测插入的闪存驱动器并从中导出文件，以及窃取保存的浏览器凭据，仅举几例，”ESET在本月早些时候指出。