ESET Research has recently shed light on one of the most sophisticated server-side malware campaigns that continues to expand, with hundreds of thousands of compromised servers, now including credit card and cryptocurrency theft. This malicious campaign, known as Ebury, was initially identified a decade ago in a white paper titled Operation Windigo. Despite the arrest and conviction of one of the Ebury perpetrators following Operation Windigo, the botnet has persisted and grown over the years.

Ebury, characterized by its OpenSSH backdoor and credential-stealing capabilities, has undergone updates and modifications since its initial discovery. ESET researchers have been tracking the evolution of Ebury by maintaining honeypots to monitor new samples and network indicators. However, the complexity of Ebury has increased over time, making it challenging to detect and analyze its behavior. The interactions between Ebury operators and an ESET-operated honeypot revealed a level of sophistication and awareness on the part of the malicious actors.

In 2021, the Dutch National High Tech Crime Unit collaborated with ESET to investigate a case involving Ebury found on a server linked to cryptocurrency theft. This collaboration provided valuable insights into the operations of the Ebury group and the malware they employ. The research conducted by ESET uncovered new methods used by the Ebury gang to compromise additional servers, including targeting hosting providers and intercepting SSH traffic within data centers.

The tactics employed by the Ebury gang have resulted in approximately 400,000 servers being compromised since 2009, with over 100,000 servers still under their control as of late 2023. The perpetrators maintain records of the compromised systems, allowing researchers to track the growth of the botnet over time. Additionally, the Ebury gang has expanded its monetization efforts by deploying multiple malware families to leverage the compromised servers for financial gain.

Furthermore, the Ebury malware itself has undergone updates, with the latest major version, 1.8, introducing new obfuscation techniques and improvements to the userland rootkit used to conceal the malware from detection. These enhancements make it increasingly challenging for system administrators to identify and remove Ebury from infected servers. The research conducted by ESET delves into the technical intricacies of Ebury and provides indicators of compromise for organizations to assess their security posture.

For organizations seeking more information or assistance regarding the Ebury malware campaign, ESET offers private APT intelligence reports and data feeds. This latest research from ESET highlights the ongoing threat posed by Ebury and emphasizes the importance of proactive cybersecurity measures to protect against evolving malware threats. Organizations are encouraged to remain vigilant and implement robust security measures to safeguard their servers and sensitive information from malicious actors.

Source link