May 15, 2024 at 07:06AM
Ebury, a sophisticated malware botnet, has compromised 400,000 Linux servers since 2009, with over 100,000 still affected as of late 2023. It is employed for various nefarious activities such as spam distribution, web traffic redirection, and credential theft, as well as cryptocurrency heists and credit card stealing. The threat actors utilize numerous methods and tools to achieve their malicious goals, including the deployment of additional payloads.
From the meeting notes, the key takeaways are:
– A malware botnet named Ebury has compromised 400,000 Linux servers since 2009, with over 100,000 still compromised as of late 2023.
– Ebury is known for its advanced server-side malware campaigns focused on financial gain, involving activities such as spam spreading, web traffic redirections, credential stealing, and involvement in cryptocurrency heists.
– The botnet was first documented in Operation Windigo over a decade ago and has been associated with individuals like Maxim Senakh, who was sentenced to nearly four years in prison for his role in the botnet’s development and maintenance.
– ESET’s investigation has revealed various delivery methods for Ebury, including theft of SSH credentials, credential stuffing, infiltrating hosting provider infrastructure, and exploiting flaws in Control Web Panel.
– The threat actors have been observed using fake or stolen identities to cover their tracks and compromising infrastructure used by other perpetrators with the malware.
– Ebury has also been used to breach systems and steal code, and it acts as a backdoor and SSH credential stealer, offering attackers the ability to deploy additional payloads like HelimodSteal, HelimodProxy, and HelimodRedirect, as well as expand their presence within compromised networks.
– The group uses various tools for monetizing the compromised servers, employing HTTP server modules, a kernel module, software to hide and allow malicious traffic through the firewall, and Perl scripts for large-scale attacks within hosting providers’ data centers.
– Ebury is designed to capture credit card data submitted to online stores and exfiltrate requests made by compromised servers to external HTTP servers, bypassing end-to-end encryption (HTTPS).
These takeaways highlight the severity and sophistication of the Ebury malware botnet, emphasizing the various malicious activities, delivery methods, and tools employed by the threat actors.