ESET, a prominent cybersecurity firm, has brought attention to the Ebury malware campaign, a server-side malware that has been active for the past 15 years. Despite its long history, the use of Ebury by threat actors is on the rise, as highlighted in a recent report released by ESET Research on May 14.

The ESET report revealed that the operators of the Ebury malware and botnet have been more active than ever in 2023. This malicious group has been known to target Linux, FreeBSD, and OpenBSD servers, compromising almost 400,000 servers over the years. Shockingly, as of late 2023, more than 100,000 servers were still compromised by Ebury.

Originally deployed for spam, web traffic redirections, and credential stealing, the Ebury group has expanded its malicious tactics to include credit card compromise and cryptocurrency theft. This evolution in their techniques, tactics, and procedures (TTPs) has further increased the threat posed by Ebury.

The Ebury botnet is a sophisticated operation that has been targeting hosting providers since 2009. It utilizes an OpenSSH backdoor and credential stealer to deploy multiple malware strains simultaneously through a botnet network. The group’s primary focus on hosting providers has allowed them to compromise servers and carry out various malicious activities such as web traffic redirection, spam proxying, and adversary-in-the-middle attacks (AitM).

One significant development in the Ebury saga was the arrest of Maxim Senakh, a Russian national and one of the operators behind Ebury, in 2015. Senakh was sentenced to 46 months in prison in the US for his involvement in running the Ebury botnet. ESET played a crucial role in assisting the FBI during the operation and provided testimony during Senakh’s trial.

Despite the arrest of one of its operators, the Ebury group has persisted in running malicious campaigns, with a particular focus on targeting Bitcoin and Ethereum nodes for cryptocurrency theft. The ESET report highlighted new methods employed by the Ebury group to propagate their malware to new servers, including AitM attacks to intercept SSH traffic and steal cryptocurrency wallets.

Furthermore, the Ebury malware itself has undergone updates, with the release of a new major version, 1.8, in late 2023. This update featured new obfuscation techniques, a domain generation algorithm (DGA), and improvements in the userland rootkit used by Ebury to evade detection by system administrators.

The year 2023 proved to be a record-breaking year for Ebury, with a significant increase in their activity compared to 2021. In August 2023 alone, over 6000 compromised servers were recorded, indicating the growing threat posed by the Ebury group. Since 2009, approximately 400,000 servers have fallen victim to Ebury, with more than 100,000 servers still compromised as of late 2023.

In conclusion, the Ebury malware campaign continues to pose a serious threat to server security, with the group’s relentless activity and evolving tactics making them a formidable adversary in the cybersecurity landscape. Efforts to combat Ebury and protect servers from compromise remain crucial in safeguarding against the growing threat posed by this long-standing malware campaign.

Source link