EXECUTIVE SUMMARY
Researchers have spearheaded by Ebury malware, has persisted as a formidable threat in the realm of server-side Linux malware. have unveiled the ongoing activities of the Ebury group, underscoring its resilience and evolving sophistication. This endeavor has uncovered a concerning trend of escalating Ebury deployments, infiltrating diverse sectors such as universities, enterprises, internet service providers, and hosting service providers. Despite past interventions, Ebury continues to thrive, leveraging stolen credentials and exploiting vulnerabilities to compromise servers worldwide. The evolution of the Ebury userland rootkit, particularly its seamless integration into OpenSSH server shells, poses significant challenges for system administrators in detecting and mitigating its presence. Thus, comprehending its modus operandi becomes imperative for fortifying security systems against this persistent and evolving threat.
Ebury, a longstanding threat, operates as an OpenSSH backdoor and credential stealer, employing various propagation tactics such as credential stuffing, vulnerability exploitation, and compromise of hosting providers. Notable for exploiting zero-day vulnerabilities like CVE-2021-45467 and Dirty COW (CVE-2016-5195), Ebury also conducts adversary-in-the-middle attacks (AitM) for credential theft and malicious payload deployment. Its impact is widespread, compromising hundreds of thousands of servers globally, exemplified by incidents like the compromise of a major domain registrar and web hosting provider. Ebury's techniques include injecting itself into OpenSSH subprocesses, manipulating libc functions for execution flow control, and employing LD_PRELOAD for concealment. It hides files, processes, and network activity by modifying system functions and tampering with /proc entries, while post-compromise activities involve credential exfiltration via DNS-like UDP packets and leveraging libcurl for HTTP POST data exfiltration. It suggests a shift towards monetization through credit card theft, cryptocurrency mining, and traffic redirection. The Helimod malware family, including HelimodRedirect and HelimodSteal, demonstrates similar complexities, with HelimodSteal notably exhibiting configurability and active deployment, contrasting HelimodRedirect's decline in observed instances.
In conclusion, our findings shed light on the operations and methodologies of various malware families, including HelimodRedirect, HelimodSteal, KernelRedirect, and FrizzySteal. These malicious entities exhibit sophisticated techniques, such as manipulating Netfilter rules and injecting malicious code into legitimate libraries, to evade detection and carry out their malicious activities. Moreover, our investigation underscores the prevalence and persistence of these threats, highlighting the need for robust cybersecurity measures to mitigate their impact. By raising awareness and providing insights into their behaviors, we aim to empower organizations and individuals to better defend against such threats and safeguard their systems and data.
THREAT PROFILE:
Tactic | Technique Id | Technique |
Reconnaissance | T1592 | Gather Victim Host Information |
Resource Development | T1583 | Acquire Infrastructure |
T1584 | Compromise Infrastructure | |
T1587 | Develop Capabilities | |
Initial Access | T1190 | Exploit Public-Facing Application |
Execution | T1059 | Command and Scripting Interpreter |
T1609 | Container Administration Command | |
T1129 | Shared Modules | |
Persistence | T1554 | Compromise Host Software Binary |
T1574 | Hijack Execution Flow | |
Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Defense Evasion | T1078 | Valid Accounts |
T1562 | Impair Defenses | |
T1070 | Indicator Removal | |
T1036 | Masquerading | |
T1027 | Obfuscated Files or Information | |
T1014 | Rootkit | |
T1622 | Debugger Evasion | |
Credential Access | T1556 | Modify Authentication Process |
T1557 | Adversary-in-the-Middle | |
T1110 | Brute Force | |
T1212 | Exploitation for Credential Access | |
T1040 | Network Sniffing | |
T1003 | OS Credential Dumping | |
T1552 | Unsecured Credentials | |
Discovery | T1018 | Remote System Discovery |
T1082 | System Information Discovery | |
T1016 | System Network Configuration Discovery | |
Lateral Movement | T1021 | Remote Services |
Collection | T1056 | Input Capture |
Command and Control | T1071 | Application Layer Protocol |
T1568 | Dynamic Resolution | |
T1573 | Encrypted Channel | |
T1090 | Proxy | |
Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
T1041 | Exfiltration Over C2 Channel | |
Impact | T1565 | Data Manipulation |
REFERENCES:
The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/ebury-botnet-malware-infected-400-000-linux-servers-since-2009/