The operators behind the Ebury server-side malware botnet have been doing business since at least 2009 and, according to the threat researchers who have been tracking it for the last decade, are stronger and more active than ever.

The malware has compromised at least 400,000 Linux servers over the past 15 years, with about 100,000 systems still infected as of late last year, according to researchers with cybersecurity firm ESET. And the bad actors behind what the researchers call “one of the most advanced server-side malware campaigns” continue to evolve the malware, broadening its targets, tactics, and end-goals.

Such evolution has created a highly effective and difficult-to-stop malware, according to Marc-Etienne M. Léveillé, senior malware researcher with ESET.

“Ebury poses a serious threat and a challenge to the Linux security community,” Léveillé wrote in a 47-page report. “There is no simple fix that would make Ebury ineffective, but a handful of mitigations can be applied to minimize its spread and impact. One thing to realize is that it doesn’t happen only to organizations or individuals that care less about security. A lot of very tech-savvy individuals and large organizations are among the list of victims.”

Started in 2009, Detected in 2014

ESET first detected Ebury in 2014, five years after the operation had gotten underway. The cybersecurity firm that year wrote a white paper called Operation Windigo that outlined a malware campaign that targeted Linux servers for financial gain. The paper helped lead to the arrest a year later of Maxim Senakh, a Russian national who was sentenced to prison in the United States to almost four years for helping to develop and maintain the botnet malware.

Senakh’s capture did little to slow down the development of Ebury, an OpenSSH backdoor and credential stealer that continued to be updated. In 2021, Dutch law enforcement told ESET they had found Ebury on the server of a person whose cryptocurrency had been stolen. The subsequent research helped ESET get an understanding how the malware had evolved.

“It is a shared library that, when loaded, alters the behavior of the OpenSSH client and server, injects itself into programs that use the curl library so as to exfiltrate HTTP requests made by the system, and tampers with terminal sessions spawned over SSH to hide itself,” he wrote.

It also deploys other malware that acts as modules to redirect web traffic, run proxy traffic for spam, perform adversary-in-the-middle (AitM) attacks, and host related malicious infrastructure. The operators also use the botnet to steal crypto via AitM attacks and steal credit cards and credentials by eavesdropping network traffic, a technique known as “server-side web skimming.”

Hosting Providers a Prime Target

ISPs and hosting providers are popular targets of Ebury hackers, using the access to infrastructure to install the malware on all the servers that are being rented by the provider, Léveillé wrote. Along with the Linux servers, Ebury was found infecting about 400 FreeBSD servers, a dozen OpenBSD and SunOS servers, and at least one Mac.

The 400,000 total servers were infected over 15 years, though not all at the same time. Over most the time that ESET has tracked Ebury, the number was about 40,000, though it jumped last year to 110,000 mostly due to the compromise of a large hosting provider.

“There is a constant churn of new servers being compromised while others are being cleaned up or decommissioned,” he wrote. “The data at our disposal doesn’t indicate when the attackers lost access to the systems, so it’s difficult to know the size of the botnet at any specific point in time.”

However, the deployment rate has accelerated over the years. Eliminating spikes on some days, there was an average of 207 installations per month before 2012, 1,331 between then and 2020, and 1,654 since then, with some months when the number of new deployments hit 70,000. Access to new servers primarily were gained using credentials stolen from existing compromised servers, though the peaks in deployments were from larger incidents, where Ebury was installed through such means as accessing servers of hosting providers or using exploits.

Multiple Avenues into Servers

The operators use multiple methods for getting the malware onto servers, including using stolen SSH credentials to gain access to other systems. ESET has since found other techniques, including credential stuffing, targeting hosting provider infrastructures, AitM attacks, and exploiting zero-days flaws in systems like the Control Web Panel web hosting panel (tracked as CVE-2021-45467). The operators also use a flaw called Dirty COW (CVE-2016-5195) to elevate privileges when they can get access via credentials.

The use of AitM attacks inside data centers to compromise targets also is new to Ebury, Léveillé wrote, adding that “this automated way to go after servers that potentially have cryptocurrency wallets enables the group to monetize its botnet.”

Ebury operators also will leverage the work of other threat groups, including using a reconnaissance Perl script to find other OpenSSH credential stealers and collect those credentials. They’ve also reverse engineered others’ malware to decrypt stolen credentials left on a disk and compromised other hackers’ infrastructures, including systems used by a Mirai botnet operator and the servers used for the Vidar Stealer malware.

“Ebury actors used the stolen identities obtained through Vidar Stealer for renting server infrastructure and in their activities, sending law enforcement bodies in the wrong directions,” he wrote. “Looking at seized data owned by the Ebury gang, it’s difficult to draw a line between what was gained from their activities versus what they stole from other criminal groups.”