A notorious Linux-based botnet known as Ebury is still going strong, preying on unsuspecting victims and fueling cryptocurrency theft and financial scams. Despite the incarceration of one of its key operators, the botnet has managed to backdoor nearly 400,000 servers running Linux, FreeBSD, and OpenBSD, with over 100,000 servers still compromised as of late 2023, according to recent research from cybersecurity firm ESET.
The victims targeted by the Ebury botnet include universities, small and large enterprises, Internet service providers, cryptocurrency traders, Tor exit nodes, and various hosting providers around the world. This widespread reach underscores the longstanding threat posed by Ebury, which first came to light 15 years ago.
Ebury operates as an OpenSSH backdoor, allowing cybercriminals to steal sensitive credentials such as SSH keys and passwords. Once installed on a server, Ebury creates a backdoor that enables the deployment of secondary malware modules like Cdorked, an HTTP backdoor used for web traffic redirection and DNS settings manipulation, and Calfbot, a Perl script utilized for sending spam emails.
Over the years, Ebury has been leveraged for a range of illicit activities, from spam distribution to web traffic manipulation and credential theft. More recently, however, the operators behind the botnet have shifted their focus to stealing credit card information and cryptocurrency. By intercepting SSH traffic, Ebury’s perpetrators can redirect unsuspecting users to malicious servers, where their cryptocurrency wallets are automatically emptied upon login.
In a bid to dominate the cybercrime landscape, the Ebury gang has taken steps to eliminate competition, even going so far as to detect and remove the BigBadWolf banking Trojan from compromised systems. Through a combination of zero-day vulnerabilities in server administrator software and the reuse of known passwords and keys, the attackers have managed to compromise tens of thousands of servers across multiple hosting providers.
ESET researcher Marc-Etienne M. Léveillé, who has been tracking Ebury for over a decade, noted the far-reaching impact of the botnet on the hosting provider ecosystem. In one instance, a total of 70,000 servers were compromised by Ebury in 2023, highlighting the scale of the threat posed by this persistent malware strain.
Despite the arrest and conviction of one of its key operators, Maxim Senak, in 2015, the remaining masterminds behind Ebury have continued their operations discreetly. They have refrained from openly advertising their services on dark web forums, maintaining a low profile to avoid law enforcement scrutiny. Nevertheless, ongoing investigations by authorities like the Dutch National High Tech Crime Unit suggest that the battle against Ebury is far from over.
To help system administrators combat the Ebury threat, ESET has released a set of detection and remediation tools designed to identify and remove the malware from compromised servers. However, the complexity of Ebury infections means that cleanup operations are challenging, requiring vigilant monitoring and proactive security measures to prevent reinfection.
As the Ebury botnet continues to evolve with new obfuscation techniques and rootkit functionality, the need for enhanced security measures on Linux-based servers remains critical. While tools like multi-factor authentication can bolster defenses against Ebury and similar threats, the ongoing presence of such sophisticated malware underscores the persistent challenges faced by system administrators in safeguarding their infrastructure from cyber threats.