Ebury
Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by Windigo. Ebury is primarily installed through modifying shared libraries (.so files) executed by the legitimate OpenSSH program. First seen in 2009, Ebury has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.[1][2][3][4]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1014 | Rootkit |
Ebury acts as a user land rootkit using the SSH service.[3][4] |
|
| Enterprise | T1554 | 主机软件二进制文件妥协 |
Ebury modifies the |
|
| Enterprise | T1556 | 修改身份验证过程 |
Ebury can intercept private keys using a trojanized |
|
| .003 | Pluggable Authentication Modules |
Ebury can deactivate PAM modules to tamper with the sshd configuration.[3] |
||
| Enterprise | T1129 | 共享模块 |
Ebury is executed through hooking the keyutils.so file used by legitimate versions of |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[1] |
| Enterprise | T1568 | .002 | 动态解析: Domain Generation Algorithms |
Ebury has used a DGA to generate a domain name for C2.[1][3] |
| Enterprise | T1574 | .006 | 劫持执行流: Dynamic Linker Hijacking |
When Ebury is running as an OpenSSH server, it uses LD_PRELOAD to inject its malicious shared module in to programs launched by SSH sessions. Ebury hooks the following functions from |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.[3] |
|
| Enterprise | T1059 | .004 | 命令与脚本解释器: Unix Shell |
Ebury can use the commands |
| .006 | 命令与脚本解释器: Python | |||
| Enterprise | T1008 | 回退信道 |
Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the infected system for three days.[3] |
|
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.[3] |
| .006 | 妨碍防御: Indicator Blocking |
Ebury hooks system functions to prevent the user from seeing malicious files ( |
||
| .012 | 妨碍防御: Disable or Modify Linux Audit System |
Ebury disables OpenSSH, system ( |
||
| Enterprise | T1071 | .004 | 应用层协议: DNS | |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding | |
| Enterprise | T1552 | .004 | 未加密凭证: Private Keys |
Ebury has intercepted unencrypted private keys as well as private key pass-phrases.[1] |
| Enterprise | T1027 | 混淆文件或信息 |
Ebury has obfuscated its strings with a simple XOR encryption with a static key.[1] |
|
| Enterprise | T1020 | 自动化渗出 |
If credentials are not collected for two weeks, Ebury encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record.[5][4] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Ebury exfiltrates a list of outbound and inbound SSH sessions using OpenSSH's |
|
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[1] |
Groups That Use This Software
References
- M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
- Cimpanu, C.. (2017, March 29). Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware. Retrieved April 23, 2019.
- Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
- Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.
- Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.