Ebury Compromised 400K Linux Servers

EBURY Related Families: HelimodSteal, HelimodProxy, HelimodRedirect

Executive Summary

A longstanding botnet campaign is known to deliver Ebury, an OpenSSH backdoor and credential stealer.

Key Takeaways

A longstanding botnet campaign is known to deliver Ebury, an OpenSSH backdoor and credential stealer.
Ebury has been active since at least 2009 and has compromised over 400,000 Linux servers to date.
Ebury is one of the most advanced server-side malware campaigns used for financial gain
The threat actors behind Ebury are financially motivated and have used multiple methods to try to monetize, including using spam, web traffic redirects, and credential theft.
Ebury allows threat actors to deploy follow-on payloads, including HelimodSteal, HelimodProxy, and HelimodRedirect.

What is Ebury?

A longstanding botnet campaign is known to deliver Ebury. Ebury is an OpenSSH backdoor and credential stealer. ESET first reported on Ebury in 2014 as a part of coverage of Operation Windigo and recently released an updated report on the malware, as it has continued to be active over the last decade.

Ebury, which has been active since at least 2009, has compromised 400,000 Linux servers to date. ESET noted that Ebury is one of the most advanced server side malware campaigns used for financial gain. The financially motivated threat actors behind Ebury have used multiple methods to try to monetize, including using spam, web traffic redirects, and credential theft.

The threat actors have also been observed stealing cryptocurrency via AitM and stealing credit card numbers via server side web skimming. The threat actors behind Ebury are clever and have managed to compromise the infrastructure of other threat actors, including the infrastructure behind Vidar stealer.

ESET has observed Ebury being delivered via multiple methods, including using stolen credentials, credential stuffing, infiltrating hosting provider infrastructure, exploiting flaws in Control Web Panel (including CVE-2021-45467), and SSH adversary in the middle (AitM) attacks.

Ebury is both a backdoor and an SSH credential stealer. Its most recent known version was released in late 2023. New features in the updated Ebury variant include new obfuscation techniques, a new domain generation algorithm (DGA), and improvements for hiding the rootkit from systems administrators.

Ebury allows threat actors to deploy follow-on payloads. Payloads observed in conjunction with Ebury include HelimodSteal, HelimodProxy, and HelimodRedirect. HelimodSteal is an Apache module that exfiltrates all HTTP POST requests that are sent to the server. It can be used to steal credit card information. HelimodProxy is used for spam campaigns. HelimodRedirect is an Apache module that redirects a small amount of HTTP traffic to ads.

IOCs

PolySwarm has multiple samples of Ebury.

9dba448f82bd693484fdb303694e185e9eb5b9146c0b39974aa8a8ceea0a6589

3913e9bf43ec6a73584b9d621f396ee035d8bd1d28a99421e405c226cd321b98

01f8a935832048a6c116b376db82a83890e6375586e830e87ca3c244b71392b5

5ff9ed0b3f0b84de100b3ee47274437a2944c23a832b2bba2153992047223ecb

33ded5914025e70f6f5f109ea85179fb6373bb757da95e89958bf7a957b446bc

2ddb50f2d60c4b8bc50aa03206c6397b56fdda210bd2a935de5fb419a52fa56d

3bc5b33247ed6a4b22890ad47b9bcf7209a1d0f767cc441cf4d2206557ddadba

afbef5352942dde22e5cfa802c057917fccb17623f3e8ead165fd17371d851f3

11ac32b7d5d1db9ab0b403a3e9637a7ada87c329c030fa0b491d335485dd5f42

3127d2211bfea0d1a132d53e709c0d11dddfa32f497c4ab7f348350144b07d65