News

Ebury botnet operators diversify into financial and cryptocurrency theft

Published

1 year ago

on

Ebury, one of the most advanced server-side malware campaigns, has been active for 15 years but its use by threat actors is still growing, according to cybersecurity firm ESET.

A new report published on May 14 by ESET Research showed that the operators of the Ebury malware and botnet were more active than ever in 2023.

Over the years, Ebury has been used as a backdoor to compromise nearly 400,000 Linux, FreeBSD, and OpenBSD servers. As of the end of 2023, more than 100,000 were still compromised.

Long known for distributing spam, web traffic redirects, and credential theft, the Ebury Group recently added credit card compromise and cryptocurrency theft into its techniques, tactics, and procedures (TTPs).

What is the Ebury botnet?

Ebury is a malicious group that has been active since at least 2009. It has developed an OpenSSH backdoor and credential stealer used to distribute multiple malware strains at once by relying on a botnet (botnet).

The group’s primary targets are hosting providers.

The Ebury botnet is used to compromise Linux, FreeBSD, and OpenBSD servers in order to implement web traffic redirection modules, proxy traffic for spam, or perform Adversary-in-the-middle (AitM) attacks.

In 2014, ESET published a white paper on Operation Windigo, a malicious campaign using multiple malware families working in conjunction with the Ebury malware family at its center.

Following the publication of the Windigo document, Russian citizen Maxim Senakh, one of the Ebury operators, was arrested at the Finnish-Russian border in 2015 and subsequently extradited to the United States.

In 2017 it was sentenced to 46 months in prison in the United States for his role in running the Ebury botnet. ESET assisted the FBI in the operation and testified during the trial.

In late 2021, the Dutch National High Tech Crime Unit (NHTCU), part of the Dutch National Police, contacted ESET after finding Ebury on the server of a cryptocurrency theft victim.

“These suspicions proved to be true and with the assistance of NHTCU, ESET Research gained significant visibility into the operations operated by the Ebury threat actors,” the new ESET report indicates.

Marc-Etienne M. Léveillé, the ESET researcher who has studied Ebury for more than a decade, commented: “We have documented cases […] where the Ebury perpetrators managed to compromise thousands of servers at once. There is no geographical border for Ebury; There are servers compromised with Ebury in almost every country in the world. Every time a hosting provider was compromised, it resulted in a large number of compromised servers in the same data centers.

“At the same time, no vertical appears more targeted than others. Victims include universities, small and large businesses, internet service providers, cryptocurrency traders, Tor exit nodes, shared hosting providers, and dedicated server providers, to name a few.”

Ebury’s new favorite targets: Bitcoin and Ethereum nodes

Despite the arrest, the Ebury group continued to wage malicious campaigns, at least until the end of 2023.

The ESET report describes new methods used to propagate Ebury to new servers that appeared after 2021.

From access to the target’s infrastructure, usually a hosting provider, the Ebury group can launch different types of attacks.

In one of the most recent, the group uses an AitM attack to intercept the SSH traffic of attractive targets inside data centers and redirect it to a server used to capture credentials.

Attackers exploit existing Ebury-compromised servers in the same network segment as their target to perform Address Resolution Protocol (ARP) spoofing. Among the targets are Bitcoin and Ethereum nodes. Ebury automatically steals cryptocurrency wallets hosted on the target server once the victim types the password to access it.

ESET noted that this method was used to hit over 200 targets on over 75 networks in 34 countries between February 2022 and May 2023.

This example not only illustrates one of Ebury’s latest attack techniques, but also one of the group’s newest monetization vectors: cryptocurrency theft.

Furthermore, the Ebury malware family itself has also been updated.

The new major version update, 1.8, first seen in late 2023, included new obfuscation techniques, a new domain generation algorithm (DGA), and improvements in the userspace rootkit used by Ebury to hide from administrators system. When active, the process, file, socket, and even mapped memory are hidden.

2023, a record year for Ebury

These changes in the Ebury Group’s infection and monetization methods appear to be paying off, as the group’s activity increased significantly in 2023 compared to 2021.

“Attackers keep track of the systems they have compromised, and we used this data to track a history of the number of new servers added to the botnet each month,” ESET researchers wrote.

August 2023 saw record-breaking activity from the group, with over 6,000 compromised servers recorded that month.

Overall, around 400,000 servers have been compromised at Ebury since 2009, and more than 100,000 were still compromised as of the end of 2023.

Source

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version