Threat Advisory

Ebury Botnet Compromised Linux Servers for Financial Theft

Threat: Malware
Threat Actor Name: Windigo
Threat Actor Type: Financially Motivated
Targeted Region: Global
Alias: G0124, Operation Windigo
Threat Actor Region: Russia
Targeted Sector: Technology & IT
Criticality: High

EXECUTIVE SUMMARY

Researchers have spearheaded by Ebury malware, has persisted as a formidable threat in the realm of server-side Linux malware. have unveiled the ongoing activities of the Ebury group, underscoring its resilience and evolving sophistication. This endeavor has uncovered a concerning trend of escalating Ebury deployments, infiltrating diverse sectors such as universities, enterprises, internet service providers, and hosting service providers. Despite past interventions, Ebury continues to thrive, leveraging stolen credentials and exploiting vulnerabilities to compromise servers worldwide. The evolution of the Ebury userland rootkit, particularly its seamless integration into OpenSSH server shells, poses significant challenges for system administrators in detecting and mitigating its presence. Thus, comprehending its modus operandi becomes imperative for fortifying security systems against this persistent and evolving threat.

Ebury, a longstanding threat, operates as an OpenSSH backdoor and credential stealer, employing various propagation tactics such as credential stuffing, vulnerability exploitation, and compromise of hosting providers. Notable for exploiting zero-day vulnerabilities like CVE-2021-45467 and Dirty COW (CVE-2016-5195), Ebury also conducts adversary-in-the-middle attacks (AitM) for credential theft and malicious payload deployment. Its impact is widespread, compromising hundreds of thousands of servers globally, exemplified by incidents like the compromise of a major domain registrar and web hosting provider. Ebury's techniques include injecting itself into OpenSSH subprocesses, manipulating libc functions for execution flow control, and employing LD_PRELOAD for concealment. It hides files, processes, and network activity by modifying system functions and tampering with /proc entries, while post-compromise activities involve credential exfiltration via DNS-like UDP packets and leveraging libcurl for HTTP POST data exfiltration. It suggests a shift towards monetization through credit card theft, cryptocurrency mining, and traffic redirection. The Helimod malware family, including HelimodRedirect and HelimodSteal, demonstrates similar complexities, with HelimodSteal notably exhibiting configurability and active deployment, contrasting HelimodRedirect's decline in observed instances.

In conclusion, our findings shed light on the operations and methodologies of various malware families, including HelimodRedirect, HelimodSteal, KernelRedirect, and FrizzySteal. These malicious entities exhibit sophisticated techniques, such as manipulating Netfilter rules and injecting malicious code into legitimate libraries, to evade detection and carry out their malicious activities. Moreover, our investigation underscores the prevalence and persistence of these threats, highlighting the need for robust cybersecurity measures to mitigate their impact. By raising awareness and providing insights into their behaviors, we aim to empower organizations and individuals to better defend against such threats and safeguard their systems and data.

THREAT PROFILE:

Tactic Technique Id Technique
Reconnaissance T1592 Gather Victim Host Information
Resource Development T1583 Acquire Infrastructure
T1584 Compromise Infrastructure
T1587 Develop Capabilities
Initial Access T1190 Exploit Public-Facing Application
Execution T1059 Command and Scripting Interpreter
T1609 Container Administration Command
T1129 Shared Modules
Persistence T1554 Compromise Host Software Binary
T1574 Hijack Execution Flow
 Privilege Escalation T1068 Exploitation for Privilege Escalation
 Defense Evasion T1078 Valid Accounts
T1562 Impair Defenses
T1070 Indicator Removal
T1036 Masquerading
 T1027 Obfuscated Files or Information
T1014 Rootkit
T1622 Debugger Evasion
 Credential Access T1556 Modify Authentication Process
T1557 Adversary-in-the-Middle
T1110 Brute Force
T1212 Exploitation for Credential Access
T1040 Network Sniffing
 T1003 OS Credential Dumping
T1552 Unsecured Credentials
Discovery T1018 Remote System Discovery
T1082 System Information Discovery
T1016 System Network Configuration Discovery
Lateral Movement T1021 Remote Services
Collection T1056 Input Capture
Command and Control T1071 Application Layer Protocol
T1568 Dynamic Resolution
 T1573 Encrypted Channel
T1090 Proxy
Exfiltration T1048 Exfiltration Over Alternative Protocol
 T1041 Exfiltration Over C2 Channel
Impact T1565 Data Manipulation

REFERENCES:

The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/ebury-botnet-malware-infected-400-000-linux-servers-since-2009/

crossmenu