Ebury, one of the most advanced server-side malware campaigns, has been active for 15 years, but its use by threat factors is still growing, according to cyber security company ESET.
From a new report published on 14 May by ESET research showed that operators from the Ebury Malware and Botnet in 2023 were more active than ever.
Over the years, Ebury has been used as a back door to jeopardize nearly 400,000 Linux, FreeBSD and OpenBSD servers. More than 100,000 were still affected from the end of 2023.
The Ebury Group has long known for spam, web traffic and stealing, the Ebury Group recently added credit compromise and cryptocurrency theft in its techniques, tactics and procedures (TTPS).
What is the Ebury -Botnet?
Ebury is a malicious group that has been active since 2009. It has developed an OpenSSH key door and a reference steamer that is used to implement multiple malware strains at the same time by trusting a BOT network (Botnet).
The primary goals of the group are hosting providers.
The Ebury-Botnet is used to jeopardize Linux, FreeBSD and OpenBSD servers to implement web traffic control modules, proxy traffic for spam or to perform opponents-in-the-middle attacks (AITM).
In 2014, ESET published a white paper on Operation Windigo, a malignant campaign with several malware families that work in the core in combination with the Ebury Malware family.
After the release of the Windigo paper, the Russian National Senakh, one of the Ebury operators, was arrested in 2015 on the border with Finland-Russia and later extradited to the US.
In 2017 he was sentenced to 46 months in prison in the US for his role in running the Ebury botnet. ESET assisted the FBI in the operation and testified during the test.
At the end of 2021, the Dutch National High Tech Crime Unit (NHTCU), part of the Dutch National Police, contacted ESET after they found Ebury on the server of a victim of Cryptocurrency theft.
“Those suspicions were found to be well substantiated and with the help of NHTCU, ESET Research has had considerable visibility in the activities of the Ebury Threat Actors,” the new ESET report indicated.
Marc-Etienne M. Léveillé, the ESET researcher who has investigated Ebury for more than ten years, noted: “We have documented fallen […] Where the Ebury actors could put thousand servers at the same time. There is no geographical border on Ebury; Servers have been compromised with Ebury in almost all countries in the world. When a hosting provider was affected, this led to a large number of compromised servers in the same data centers.
“At the same time, there are no more verticals focused than others. Victims are universities, small and large companies, internet providers, cryptocurrency traders, exit nodes, shared hosting providers and dedicated server providers, to name just a few.”
Ebury’s new favorite goals: Bitcoin and Ethereum nodes
Despite the arrest, the Ebury Group continued to conduct more malicious campaigns, at least until the end of 2023.
The ESET report describes new methods used to distribute Ebury to new servers that appeared after 2021.
From his access to the infrastructure of his goal, usually a hosting provider, the Ebury Group can use different types of attacks.
In one of the most recent, the group uses an AITM attack to intercept SSH traffic from attractive purposes in data centers and forward it to a server used to record login data.
The malicious actors use existing Ebury-compromised servers in the same network segment as their target to perform address resolution Protocol (ARP) Spoofing. Among the goals are Bitcoin and Ethereum nodes. Ebury automatically steals cryptocurrency portfolios hosted on the intended server as soon as the victim type the password to log in.
ESET has noted that this method was used to focus more than 200 goals on more than 75 networks in 34 countries between February 2022 and May 2023.
This example not only illustrates one of Ebury’s latest attack techniques, but also one of the newest vectors of the group’s income: theft of cryptocurrency.
Moreover, the Ebury Malware family itself has also been updated.
The new update of the large version, 1.8, to be seen for the first time in the end of 2023, included new Obfuscation techniques, a new domain teneration -algorithm (DGA) and improvements in the by Ebury Userland Rootkit to hide themselves from system administrators. When active, the process, the file, the socket and even the assigned memory are hidden.
2023, a record year for Ebury
These shifts in the infection and monetization methods of the Ebury Group seem to bear fruit, because the activity of the group increased considerably in 2023 compared to 2021.
“The perpetrators keep track of the systems they have compromised and we used that data to draw a timeline of the number of new servers that have been added to the Botnet every month,” the ESET researchers wrote.
August 2023 saw record -breaking activity of the group, with that month more than 6,000 compromised servers.
Combined, around 400,000 servers have been compromised since 2009 by Ebury and more than 100,000 were still affected from the end of 2023.