ESET researchers published a follow-up paper on Ebury Botnet, a Linux malware that steals credentials for financial gain, leverages the OpenSSH backdoor and even evolves to bypass honeypot detection.
ESET and the Dutch National High Tech Crime Unit collaborated to investigate recent Ebury activities and the new malware families it uses, as their work helps to track new samples and network indicators of the botnet.
Ebury malware leverages compromised hosting providers to infect a large number of servers efficiently., where the attackers gain access to the hosting provider’s infrastructure and install Ebury on all the rented servers, significantly expanding their reach.
It further employs ARP spoofing within compromised networks to intercept SSH traffic and steal credentials, allowing them to target cryptocurrency wallets on servers like Bitcoin and Ethereum nodes.
By capturing the login credentials when the victim enters their password, Ebury can steal the cryptocurrency wallets hosted on the server.
The Ebury Botnet, active since 2009, has compromised a significant number of servers. Over 400,000 Linux, FreeBSD, and OpenBSD servers have been infected with Ebury, and over 100,000 remained compromised in late 2023.
The attackers use stolen credentials to establish persistence and deploy additional malware for various purposes, including web traffic redirection, spam campaigns, and launching Man-in-the-Middle attacks.
Ebury’s effectiveness is evident by the large number of compromised systems and its ability to deploy various malicious payloads.
Researchers at WeLiveSecurity have discovered new malware families working alongside the Ebury botnet, which target financial data by intercepting communication between compromised servers and transactional websites.
The Ebury botnet, still capable of spam and traffic manipulation, now leverages HTTP POST requests to steal financial details, which suggests that the attackers are moving beyond traditional botnet activities and towards lucrative financial theft.
The Ebury malware family received a significant update in late 2023, with version 1.8 including improvements to its evasion capabilities.
New obfuscation techniques make it harder to analyze the malware code. A new domain generation algorithm allows Ebury to generate unpredictable domains for communication, hindering detection.
Additionally, the userland rootkit component has been enhanced to hide processes, files, sockets, and even mapped memory from system administrators, making it difficult to identify and remove the malware from infected systems.
Also Read: Hackers Deliver Malicious GO Binary Files in PyPI Via Steganography