Ebury Botnet
A malware botnet named Ebury has infiltrated around 400,000 Linux servers since 2009, with over 100,000 servers remaining compromised as of late 2023. This botnet is recognized by cybersecurity experts as one of the most sophisticated server-side malware campaigns aimed at financial gain.
The actors behind Ebury have engaged in various monetization activities, such as distributing spam, redirecting Web traffic, and stealing credentials. Additionally, they are involved in cryptocurrency theft through Man-in-the-Middle (MitM) attacks and credit card theft via network traffic interception, a technique commonly referred to as server-side web skimming.
Table of Contents
Cybercriminals Got Caught Operating the Ebury Botnet
Ebury emerged over ten years ago during Operation Windigo, a campaign aimed at compromising Linux servers. This operation deployed Ebury along with other tools like Cdorked and Calfbot to redirect web traffic and send spam. In August 2017, Maxim Senakh, a Russian national, was sentenced to nearly four years in a U.S. prison for his involvement in developing and maintaining the Ebury botnet.
Senakh and his associates utilized the Ebury botnet to manipulate internet traffic for various click-fraud and spam email schemes, according to the U.S. Justice Department. This resulted in fraudulent revenue amounting to millions of dollars. As part of his plea, Senakh confessed to supporting the criminal enterprise by setting up accounts with domain registrars to expand the Ebury botnet infrastructure and personally profited from the traffic generated by it.
The Ebury Botnet Infected Devices via Numerous Different Vectors
An investigation has revealed multiple tactics employed by attackers to distribute Ebury, including stealing SSH credentials, credential stuffing, infiltrating hosting provider infrastructure, exploiting vulnerabilities like Control Web Panel flaw CVE-2021-45467, and conducting SSH man-in-the-middle (MitM) attacks.
Additionally, threat actors have been observed using fake or stolen identities to conceal their activities. They have compromised infrastructure used by other malicious actors, deploying the Ebury malware to achieve their objectives and confuse efforts to trace them.
For instance, attackers compromised servers responsible for collecting data from Vidar Stealer. They used stolen identities acquired through Vidar Stealer to rent server infrastructure and carry out activities, intentionally misleading law enforcement. In another case, Ebury was used to breach the system of one of the Mirai botnet authors, obtaining the code before its public release.
Attackers Utilized Ebury to Deliver Additional Threatening Payloads
The malware operates as a backdoor and SSH credential thief, enabling attackers to introduce additional payloads like HelimodSteal, HelimodProxy, and HelimodRedirect, thereby extending their reach within compromised networks. The most recent version of Ebury identified is 1.8.2.
These tools are geared towards monetizing the compromised servers through various means. Monetization strategies include theft of credit card information, cryptocurrency pilfering, traffic redirection, spam dissemination, and credential theft.
HelimodSteal, HelimodRedirect, and HelimodProxy function as HTTP server modules to intercept HTTP POST requests, redirect HTTP traffic to advertisements, and proxy traffic for spam distribution. The group also utilizes a kernel module named KernelRedirect, employing a Netfilter hook to modify HTTP traffic and enable redirection. HelimodSteal is specifically designed to capture credit card data submitted to online stores, acting as a server-side web skimmer to extract this sensitive information from infected servers.
The attackers also leverage software to conceal and permit malicious traffic through firewalls, along with Perl scripts, for large-scale man-in-the-middle attacks within hosting providers' data centers. They target valuable assets to steal cryptocurrency from wallets.
