Home Malware 400k Linux Servers Hacked to Mine Cryptocurrency

400k Linux Servers Hacked to Mine Cryptocurrency

0
400k Linux Servers Hacked to Mine Cryptocurrency

ESET researchers published a follow-up paper on Ebury Botnet, a Linux malware that steals credentials for financial gain, leverages the OpenSSH backdoor and even evolves to bypass honeypot detection. 

ESET and the Dutch National High Tech Crime Unit collaborated to investigate recent Ebury activities and the new malware families it uses, as their work helps to track new samples and network indicators of the botnet. 

Interactions between the Ebury perpetrators and an ESET-operated honeypot, showing that the operators had flagged this system as a honeypot

Ebury malware leverages compromised hosting providers to infect a large number of servers efficiently., where the attackers gain access to the hosting provider’s infrastructure and install Ebury on all the rented servers, significantly expanding their reach. 

It further employs ARP spoofing within compromised networks to intercept SSH traffic and steal credentials, allowing them to target cryptocurrency wallets on servers like Bitcoin and Ethereum nodes. 

By capturing the login credentials when the victim enters their password, Ebury can steal the cryptocurrency wallets hosted on the server.

Overview of AitM attacks perpetrated by the Ebury gang

The Ebury Botnet, active since 2009, has compromised a significant number of servers. Over 400,000 Linux, FreeBSD, and OpenBSD servers have been infected with Ebury, and over 100,000 remained compromised in late 2023. 

The attackers use stolen credentials to establish persistence and deploy additional malware for various purposes, including web traffic redirection, spam campaigns, and launching Man-in-the-Middle attacks. 

Ebury’s effectiveness is evident by the large number of compromised systems and its ability to deploy various malicious payloads. 

Ebury deployments per month using two different scales on the Y axis, according to the database of compromised servers maintained by the perpetrators

Researchers at WeLiveSecurity have discovered new malware families working alongside the Ebury botnet, which target financial data by intercepting communication between compromised servers and transactional websites. 

The Ebury botnet, still capable of spam and traffic manipulation, now leverages HTTP POST requests to steal financial details, which suggests that the attackers are moving beyond traditional botnet activities and towards lucrative financial theft. 

Multiple malware families deployed on Ebury-infested servers and the impact for potential victims

The Ebury malware family received a significant update in late 2023, with version 1.8 including improvements to its evasion capabilities. 

Differences (in unified format) in OpenSSH server and Bash maps files when under the Ebury userland rootkit

New obfuscation techniques make it harder to analyze the malware code. A new domain generation algorithm allows Ebury to generate unpredictable domains for communication, hindering detection. 

Additionally, the userland rootkit component has been enhanced to hide processes, files, sockets, and even mapped memory from system administrators, making it difficult to identify and remove the malware from infected systems. 

Also Read: Hackers Deliver Malicious GO Binary Files in PyPI Via Steganography

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here