Insights, news, education and announcements from PolySwarm

Ebury Compromised 400K Linux Servers

Written by The Hivemind | May 20, 2024 6:59:44 PM

Related Families: HelimodSteal, HelimodProxy, HelimodRedirect

Executive Summary

A longstanding botnet campaign is known to deliver Ebury, an OpenSSH backdoor and credential stealer.

Key Takeaways

  • A longstanding botnet campaign is known to deliver Ebury, an OpenSSH backdoor and credential stealer. 
  • Ebury has been active since at least 2009 and has compromised over 400,000 Linux servers to date.
  • Ebury is one of the most advanced server-side malware campaigns used for financial gain
  • The threat actors behind Ebury are financially motivated and have used multiple methods to try to monetize, including using spam, web traffic redirects, and credential theft. 
  • Ebury allows threat actors to deploy follow-on payloads, including HelimodSteal, HelimodProxy, and HelimodRedirect. 

What is Ebury?

A longstanding botnet campaign is known to deliver Ebury. Ebury is an OpenSSH backdoor and credential stealer. ESET first reported on Ebury in 2014 as a part of coverage of Operation Windigo and recently released an updated report on the malware, as it has continued to be active over the last decade.

Ebury, which has been active since at least 2009, has compromised 400,000 Linux servers to date. ESET noted that Ebury is one of the most advanced server side malware campaigns used for financial gain. The financially motivated threat actors behind Ebury have used multiple methods to try to monetize, including using spam, web traffic redirects, and credential theft.

The threat actors have also been observed stealing cryptocurrency via AitM and stealing credit card numbers via server side web skimming. The threat actors behind Ebury are clever and have managed to compromise the infrastructure of other threat actors, including the infrastructure behind Vidar stealer.

ESET has observed Ebury being delivered via multiple methods, including using stolen credentials, credential stuffing, infiltrating hosting provider infrastructure, exploiting flaws in Control Web Panel (including CVE-2021-45467), and SSH adversary in the middle (AitM) attacks.

Ebury is both a backdoor and an SSH credential stealer. Its most recent known version was released in late 2023. New features in the updated Ebury variant include new obfuscation techniques, a new domain generation algorithm (DGA), and improvements for hiding the rootkit from systems administrators.

Ebury allows threat actors to deploy follow-on payloads. Payloads observed in conjunction with Ebury include HelimodSteal, HelimodProxy, and HelimodRedirect. HelimodSteal is an Apache module that exfiltrates all HTTP POST requests that are sent to the server. It can be used to steal credit card information. HelimodProxy is used for spam campaigns. HelimodRedirect is an Apache module that redirects a small amount of HTTP traffic to ads. 

IOCs

PolySwarm has multiple samples of Ebury.

 

9dba448f82bd693484fdb303694e185e9eb5b9146c0b39974aa8a8ceea0a6589

3913e9bf43ec6a73584b9d621f396ee035d8bd1d28a99421e405c226cd321b98

01f8a935832048a6c116b376db82a83890e6375586e830e87ca3c244b71392b5

5ff9ed0b3f0b84de100b3ee47274437a2944c23a832b2bba2153992047223ecb

33ded5914025e70f6f5f109ea85179fb6373bb757da95e89958bf7a957b446bc

2ddb50f2d60c4b8bc50aa03206c6397b56fdda210bd2a935de5fb419a52fa56d

3bc5b33247ed6a4b22890ad47b9bcf7209a1d0f767cc441cf4d2206557ddadba

afbef5352942dde22e5cfa802c057917fccb17623f3e8ead165fd17371d851f3

11ac32b7d5d1db9ab0b403a3e9637a7ada87c329c030fa0b491d335485dd5f42

3127d2211bfea0d1a132d53e709c0d11dddfa32f497c4ab7f348350144b07d65

8cc01a0c2a3d20e2e1c29e4960e362d0258694538a23cd703f503f6969aeb356

b20a25779dc2af69ebdbbe2884d9fe316477157d6dab1102d2371a65c256d8d1

e69323fb1f891726ae7589b97ebd46d1aafec87793be2b68f9b033c360e0a4d2

e33a1aeed5e3d670cfe002cd98ab1dd106e83a08be4def552ccec461ed2e9611

4109cebe6ee503691bf53704a249893395f618221a160e32488eb48ca6954fcc

15298ef46a68803a3eeeac84e22df6836b991650f78ec2d1de379b0e6a86ef86

003245047359e17706e4504f8988905a219fcb48865afea934e6aafa7f97cef6

db3e9c6e4b9d3b699e2940196b07a5a1cde19f6b60b83163882b736c61ca43e1

4665484cfebbdce0c899b12c42e11183c29637fad23f60e5465df9a9fad63dcc

78bc52158716a514987415afd75fdea43fef73b7f215174218881881ba82500b

5f27e51636de85a3dcc821f0dc0b46a5cbd63bde3b5ea0c10c393d25e5305463

669119b2a9d5b6e1b764acf7582574345ff5470d8717da53a8330f358ffb8904

fbcdccbdc7506720cfb1f37843f88a39d8cb6e551e7224e813a6bbc81e9b7813

ecdcf256c822a9d9f3ce011fd98f22b3ca3e345b34b2c17fa34471ab7f65edb3

 

You can use the following CLI command to search for all Ebury samples in our portal:

$ polyswarm link list -f Ebury

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.