Ebury, a notorious server-side malware campaign, has been wreaking havoc for 15 years and its use by cybercriminals is on the rise, as per a recent report by cybersecurity firm ESET.
The report, published on May 14, 2023, revealed that the operators of the Ebury malware and botnet have been more active than ever this year. Ebury has been notorious for infiltrating nearly 400,000 Linux, FreeBSD, and OpenBSD servers over the years, with over 100,000 servers still compromised as of late 2023.
Initially known for deploying spam, web traffic redirections, and credential stealing, the Ebury group has now expanded its tactics to include credit card compromise and cryptocurrency theft.
Ebury, a malicious group that emerged in 2009, has developed an OpenSSH backdoor and a credential stealer to deploy multiple malware strains simultaneously through a botnet. The primary targets of the group are hosting providers, and they use the Ebury botnet to compromise servers and carry out malicious activities like web traffic redirection, spam proxying, and AitM attacks.
In 2014, ESET published a white paper on Operation Windigo, a malicious campaign that utilized multiple malware families in conjunction with the Ebury malware. Following this, one of the Ebury operators, Maxim Senakh, was arrested in 2015 and sentenced to 46 months in the US for his involvement in the Ebury botnet.
Despite the arrest, the Ebury group has continued its malicious campaigns, with a recent focus on Bitcoin and Ethereum nodes for cryptocurrency theft. The group has evolved its attack methods, including AitM attacks to intercept SSH traffic and steal cryptocurrency wallets from targeted servers.
In late 2023, a new major version update of the Ebury malware, version 1.8, was observed, featuring new obfuscation techniques, a domain generation algorithm, and enhancements in the userland rootkit to conceal itself from system administrators.
The year 2023 has seen a surge in Ebury group activity, with record-breaking numbers of compromised servers reported in August, surpassing 6000 in a single month. To date, around 400,000 servers have fallen victim to Ebury since its inception, with over 100,000 servers still compromised as of late 2023.
The Ebury group’s relentless pursuit of compromising servers and exploiting them for financial gain underscores the ever-evolving threat landscape faced by organizations and hosting providers worldwide. ESET continues to monitor and investigate the activities of the Ebury group to protect against their malicious campaigns.