ESET Research

One of the most advanced server-side malware campaigns is still growing, with hundreds of thousands of compromised servers, and it has diversified to include credit card and cryptocurrency theft.

Marc-Etienne M.Léveillé

14 May 2024, 3 min. read

Ten years ago we raised awareness of Ebury by publishing a white paper we called Operation Windigo, which documented a campaign that leveraged Linux malware for financial gain. Today we publish a follow-up paper on how Ebury has evolved, and the new malware families its operators use to monetize their botnet of Linux servers.

The arrest and conviction of one of the Ebury perpetrators following the Operation Windigo paper did not stop the botnet from expanding. Ebury, the OpenSSH backdoor and credential stealer, was still being updated, as we reported in 2014 and 2017. We maintain honeypots to track new samples and network indicators. However, it has become more and more difficult to run such honeypots as Ebury evolved. For instance, one of our honeypots did not react exactly as expected when Ebury was installed.

In 2021, the Dutch National High Tech Crime Unit (NHTCU) reached out to ESET after they had found Ebury on the server of a victim of cryptocurrency theft. Working together, we gained great visibility into the recent activities of the group and the malware it uses.

Ebury, Ebury everywhere

This paper reveals new methods used to propagate Ebury to new servers. Among the victims are many hosting providers. The gang leverages its access to the hosting provider’s infrastructure to install Ebury on all the servers that are being rented by that provider. Another interesting method is the use of adversary in the middle to intercept SSH traffic of interesting targets inside data centers and redirect it to a server used to capture credentials.

So how effective are all these methods? Combined, about 400,000 servers have been compromised by Ebury since 2009. Monetization strategies include spam and web traffic redirection, as well as stealing financial details from transactional websites.

Hiding deeper

The Ebury malware family itself has also been updated. The new major version update, 1.8, was first seen in late 2023. Among the updates are new obfuscation techniques, a new domain generation algorithm (DGA), and improvements in the userland rootkit used by Ebury to hide itself from system administrators.

Want to know more? The new paper, Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain, goes into more details about each of Ebury’s aspects, including many technical specifics. Indicators of compromise are also available in ESET’s malware-ioc GitHub repository, and a detection script is in the malware-research repository.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.