Ebury: The Advanced Linux Server Malware Campaign
ESET, a Slovak cybersecurity firm, revealed that the Ebury malware botnet has compromised over 400,000 Linux servers since 2009, with more than 100,000 still infected as of late 2023.
Ebury is deemed one of the most sophisticated server-side malware campaigns, primarily for financial gain. It engages in various malicious activities like spam dissemination, web traffic redirection, and credential theft. Maxim Senakh, a Russian national, was sentenced for his involvement in Ebury’s development, which generated millions in fraudulent revenue through click-fraud and spam schemes.
ESET’s investigation unveiled multiple delivery methods for Ebury, including SSH credential theft, exploiting Control Web Panel vulnerabilities, and SSH adversary-in-the-middle attacks. The attackers employ fake identities and compromise infrastructure to obfuscate their activities. Ebury has also been used to steal the Mirai botnet’s code and deploy additional payloads like HelimodSteal, HelimodRedirect, and HelimodProxy to further infiltrate networks.
New Ebury versions feature advanced obfuscation techniques and a userland rootkit capability to evade detection. Helimod modules intercept HTTP traffic for spamming and ad redirection, while KernelRedirect modifies HTTP traffic for redirection. Perl scripts facilitate large-scale SSH adversary-in-the-middle attacks. Ebury and FrizzySteal, injected into libcurl, extract financial details from compromised servers, bypassing HTTPS encryption.
The attackers exploit shared hosting servers to intercept unencrypted web traffic and capture sensitive information submitted online. Between February 2022 and May 2023, approximately 200 servers across 34 countries were targeted. Ebury’s arsenal includes tools to bypass firewalls and steal cryptocurrency. Overall, Ebury poses a severe threat to server security, leveraging various tactics to monetize compromised servers and evade detection effectively.
