Ebury, a notorious server-side malware campaign, has been wreaking havoc for the past 15 years and shows no signs of slowing down, according to cybersecurity firm ESET.
In a recent report released on May 14, ESET Research revealed that the operators behind the Ebury malware and botnet were more active than ever in 2023. This malicious group has been responsible for compromising nearly 400,000 Linux, FreeBSD, and OpenBSD servers over the years, with more than 100,000 servers still compromised as of late 2023.
Originally known for deploying spam, web traffic redirections, and credential stealing, the Ebury group has expanded its arsenal to include credit card compromise and cryptocurrency theft in its tactics, techniques, and procedures (TTPs).
Ebury operates as a backdoor that targets hosting providers, deploying multiple malware strains through a botnet. This group primarily targets Linux, FreeBSD, and OpenBSD servers to carry out activities such as web traffic redirection, spam proxying, and adversary-in-the-middle attacks.
In 2014, ESET published a white paper detailing Operation Windigo, a malicious campaign that integrated various malware families with Ebury at its core. Following this publication, one of the Ebury operators, Maxim Senakh, was arrested in 2015 and later sentenced to prison for his involvement in running the botnet.
Despite Senakh’s arrest, the Ebury group has continued its malicious activities, with a particular focus on targeting Bitcoin and Ethereum nodes for cryptocurrency theft. The group has developed new methods for propagating Ebury to servers, including intercepting SSH traffic through ARP spoofing to steal credentials and cryptocurrency wallets.
In late 2023, ESET observed a significant uptick in Ebury’s activity, with over 6000 compromised servers recorded in August alone. The group’s latest major update, version 1.8, introduced new obfuscation techniques, a domain generation algorithm (DGA), and enhancements to the userland rootkit used to conceal Ebury from detection.
In conclusion, Ebury’s evolution and increased activity in 2023 underscore the ongoing threat posed by this sophisticated malware campaign. With over 400,000 servers compromised since 2009, the Ebury group remains a formidable adversary in the cybersecurity landscape.