May 14, 2024 at 12:37PM
Summary: Ebury, a malware botnet, has infected nearly 400,000 Linux servers since 2009, with around 100,000 still compromised in late 2023. ESET researchers have tracked the financially motivated operation for over a decade, observing updates in its capabilities. Recent tactics involve breaching hosting providers, stealing credentials, exploiting vulnerabilities, and employing new obfuscation techniques. Collaboration with the Dutch authorities has resulted in the seizure of a backup server, providing further insight into the operations.
Based on the meeting notes, the key takeaways are:
1. The Ebury malware botnet has infected almost 400,000 Linux servers since 2009, with roughly 100,000 still compromised as of late 2023.
2. ESET researchers have been tracking the financially motivated malware operation for over a decade, noting significant updates in the payload’s capabilities in 2014 and 2017.
3. Recent Ebury attacks show a preference for breaching hosting providers and performing supply chain attacks on clients renting virtual servers from compromised providers. The initial compromise is achieved through credential stuffing attacks and the malware exfiltrates SSH connection data and authentication keys.
4. The attackers also exploit known vulnerabilities in server software to gain further access and may leverage hosting provider infrastructure to deploy Ebury across multiple containers or virtual environments.
5. ESET observed the introduction of new obfuscation techniques and a new domain generation algorithm system in late 2023, enabling the botnet to evade detection and improve its resilience against blocks.
6. The malware modules associated with Ebury include HelimodProxy, HelimodRedirect, HelimodSteal, KernelRedirect, and FrizzySteal, each designed to carry out different malicious activities such as relaying spam, redirecting web traffic, exfiltrating sensitive information, and intercepting HTTP requests.
7. ESET’s latest investigation was carried out in collaboration with the Dutch National High Tech Crime Unit, leading to the seizure of a backup server used by the cybercriminals. The unit is investigating evidence found on the server, including virtual machines containing web browsing artifacts, but no concrete attributions have been made yet.
These takeaways summarize the key points from the meeting notes regarding the Ebury malware botnet and the recent investigative efforts by ESET.