News

400,000 Linux Servers Compromised for Cryptocurrency Theft and Financial Gain

Published

11 months ago

on

ESET Search

One of the most advanced server-side malware campaigns is still growing, with hundreds of thousands of servers compromised, and has diversified to include credit card and cryptocurrency theft

Marc-Etienne M. Léveillé

May 14, 2024 • , 3 min. Light

Ten years ago we raised awareness of Ebury by publishing a white paper we titled Operation Windigo, which documented a campaign that exploited Linux malware for profit. Today we publish a follow-up paper on how Ebury has evolved and the new malware families used by its operators to monetize their Linux server botnet.

THE arrest and conviction by one of the Ebury authors following the paper on Operation Windigo did not prevent the expansion of the botnet. Ebury, the OpenSSH backdoor and credential stealer, was still being updated, as we reported 2014 AND 2017.

We maintain honeypots to track new network samples and indicators. However, it has become increasingly difficult to manage honeypots as Ebury has evolved. For example, one of our honeypots didn’t react exactly as expected when Ebury was installed. After spending hours trying to debug what was happening, the Ebury operators finally abandoned the server and sent a message to show that they were aware of our attempts to deceive them, as shown in Figure 1.


Figure 1. Interactions between the Ebury authors and a honeypot operated by ESET, demonstrating that the operators had marked this system as a honeypot

In 2021, the Dutch National High Tech Crime Unit (NHTCU) contacted ESET after finding Ebury on the server of a cryptocurrency theft victim. By working together, we gained excellent visibility into the group’s recent activities and the malware it uses.

Ebury, Ebury everywhere

This article reveals new methods used to propagate Ebury to new servers. Figure 2 summarizes the methods we could document.


Figure 2. Different methods used by the Ebury gang to compromise new servers

Among the victims there are many hosting providers. The group uses its access to the hosting provider’s infrastructure to install Ebury on all servers rented from that provider. As an experiment, we rented a virtual server from one of the compromised hosting providers: Ebury was installed on our server within seven days.

Another interesting method is using the adversary in the middle to intercept SSH traffic from interesting targets within data centers and redirect it to a server used to capture credentials, as summarized in Figure 3. Ebury operators exploit servers Ebury compromises existing in the same segment network as the target to perform ARP spoofing. According to Internet telemetry, more than 200 servers were targeted in 2023. Among the targets are Bitcoin and Ethereum nodes. Ebury automatically steals cryptocurrency wallets hosted on the target server once the victim types the password to access it.


Figure 3. Overview of AitM attacks perpetrated by the Ebury gang

So how effective are all these methods? Overall, approximately 400,000 servers have been compromised by Ebury since 2009, and more than 100,000 were still compromised as of the end of 2023. The authors keep track of the systems they have compromised, and we used that data to plot a timeline of the number of new servers added to the botnet every month (Figure 4). It is shown using two scales, to demonstrate some of the major incidents where Ebury was deployed across tens of thousands of servers at the same time.


Figure 4. Monthly Ebury distributions using two different scales on the Y-axis, according to the attacker-maintained database of compromised servers

Monetization

This new document reveals new malware families used to exploit the Ebury botnet (Figure 5). In addition to the spam and web traffic redirection still perpetrated by the group, HTTP POST requests made to and from servers are being exploited to steal financial details from transactional websites.


Figure 5. Different malware families deployed on Ebury-infested servers and impact on potential victims

Hiding deeper

The Ebury malware family itself has also been updated. The new major version update, 1.8, was first seen in late 2023. Among the updates are new obfuscation techniques, a new domain generation algorithm (DGA), and improvements in the userspace rootkit used by Ebury to hide from system administrators. When active, the process, file, socket, and even the mapped memory (Figure 6) are hidden.


Figure 6. Differences (in unified format) in the OpenSSH server and Bash map files when under the Ebury userland rootkit

Do I want to know more? Am I compromised?

The new newspaper, Ebury is alive but invisible: 400,000 Linux servers compromised for cryptocurrency theft and financial gaingoes into more detail on each of the aspects of Ebury, including many technical specifications.

Indicators of compromise are also available in ESET malware-ioc GitHub repository and a detection script is in the file malware search deposit.

If you have any questions about our research published on WeLiveSecurity, please contact us at threatintel@eset.com
ESET Research offers private APT intelligence reports and data feeds. If you have any questions about this service, please visit ESET Threat Intelligence page.

Source

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version