400K Linux Servers Recruited by Resurrected Ebury Botnet

/in


A Linux-based botnet is alive and well, powering cryptocurrency theft and financial scams years after the imprisonment of one the key perpetrators behind it.

The Ebury botnet – which was first discovered 15 years ago – has backdoored nearly 400,000 Linux, FreeBSD, and OpenBSD servers. More than 100,000 servers were still compromised as of late 2023, according to new research from cybersecurity vendor ESET.

Victims include universities, small and large enterprises, Internet service providers, cryptocurrency traders, Tor exit nodes, and many hosting providers worldwide.

Anatomy of a Threat

Ebury is an OpenSSH backdoor that’s used to steal credentials like SSH keys and passwords. It creates a backdoor on the infected server that facilitates the deployment of secondary malware modules such as Cdorked, an HTTP backdoor used to redirect Web traffic and modify DNS settings, and Calfbot, a Perl script used to send spam emails.

Over the years, Ebury has served as a platform for spam distribution, Web traffic redirections, and credential-stealing, among other scams. Most recently, the gang running the botnet has pivoted to credit card and cryptocurrency theft, researchers found.

The attackers use adversary-in-the-middle tactics to intercept the SSH traffic of interesting targets – including Bitcoin and Ethereum nodes – within data centers, and then redirecting traffic to a server under their control. Once a would-be victim types their password into a cryptocurrency wallet hosted on the compromised server, Ebury automatically steals those wallets, according to ESET, which this week released updated research and a white paper on the Ebury botnet.

They also appear to be making attempts to muscle out potential credit card theft competitors. Case in point: Ebury malware attempts to detect and remove the BigBadWolf banking Trojan from compromised systems.

Ebury’s operators employ zero-day vulnerabilities in the server administrator software to hack servers at scale and extract credentials from the victim servers, the researchers found. The attackers also use known passwords and keys to hack into related systems, which allow them to surreptitiously install Ebury on multiple servers rented from any…

Source…