Ebury Botnet Malware Infects 400,000 Linux Servers Over 14 Years

May 15, 2024

The Ebury botnet malware has been infiltrating Linux servers for the past 14 years, compromising an estimated 400,000 servers since 2009, according to a report from cybersecurity firm ESET. Over 100,000 servers were still infected as of late 2023. The malware campaign is described as one of the most advanced server-side operations aimed at financial gain. ESET's security researcher Marc-Etienne M.Léveillé stated, "Ebury actors have been pursuing monetization activities [...], including the spread of spam, web traffic redirections, and credential stealing." The malware also engages in cryptocurrency theft using AitM and credit card theft via network traffic eavesdropping, commonly known as server-side web skimming.

The Ebury botnet was first documented over a decade ago as part of Operation Windigo, which targeted Linux servers to deploy the malware. Other backdoors and scripts like Cdorked and Calfbot were also used to redirect web traffic and send spam. In August 2017, Russian national Maxim Senakh was sentenced to nearly four years in prison in the U.S. for his role in the development and maintenance of the Ebury botnet. The U.S. Justice Department said, "Senakh and his co-conspirators used the Ebury botnet to generate and redirect internet traffic in furtherance of various click-fraud and spam email schemes, which fraudulently generated millions of dollars in revenue." Senakh admitted to creating accounts with domain registrars to develop the Ebury botnet infrastructure and personally profited from the traffic generated by the botnet.

ESET's investigation revealed various methods the attackers use to deliver Ebury, including theft of SSH credentials, credential stuffing, infiltrating hosting provider infrastructure, exploiting flaws in Control Web Panel (e.g., CVE-2021-45467), and SSH adversary-in-the-middle (AitM) attacks. The threat actors also used fake or stolen identities to hide their activities and compromised infrastructure used by other perpetrators with the malware to meet their goals and confuse attribution efforts. ESET mentioned, "An example is the compromise of servers responsible for collecting data from Vidar Stealer. Ebury actors used the stolen identities obtained through Vidar Stealer for renting server infrastructure and in their activities, sending law enforcement bodies in the wrong directions." In another instance, Ebury was used to breach one of the Mirai botnet author's systems and steal the code before it was made public. The malware also serves as a backdoor and SSH credential stealer, allowing attackers to deploy additional payloads like HelimodSteal, HelimodProxy, and HelimodRedirect, and expand their presence within a compromised network. The latest known version of Ebury is 1.8.2.

According to ESET, these tools share a common goal of monetizing the compromised servers through various methods, ranging from credit card information theft and cryptocurrency stealing to traffic redirection, spam sending, and credential stealing. While HelimodSteal, HelimodRedirect, and HelimodProxy are all HTTP server modules used for intercepting HTTP POST requests made to the web server, redirecting HTTP requests to ads, and proxying traffic to send spam, the group also uses a kernel module called KernelRedirect to modify HTTP traffic for redirection. They also use software to hide and allow malicious traffic through the firewall, as well as Perl scripts to carry out large-scale AitM attacks within hosting providers' data centers to breach valuable targets and steal cryptocurrency from their wallets. HelimodSteal is also designed to capture credit card data submitted by a victim to an online store, effectively acting as a server-side web skimmer to extract the information received by the infected server. Alternatively, the financial details can be obtained by means of Ebury or FrizzySteal, a malicious shared library that's injected into libcurl and can exfiltrate requests made by the compromised server to external HTTP servers, such as a payment processor. ESET noted, "Since both are operating within the web server or application, end-to-end encryption (HTTPS) cannot protect against this threat. Access to servers used for shared hosting grants them access to a lot of unencrypted web traffic, which they leverage for stealthy redirection or capturing details submitted in online forms."

Latest News

• QakBot Malware Attacks Exploiting Windows Zero-Day Vulnerability Addressed by Microsoft
• Microsoft's May 2024 Patch Tuesday Addresses 61 Vulnerabilities Including 3 Zero-Days
• Google Scrambles to Patch Chrome Zero-Day Vulnerabilities Allowing Sandbox Escape
• Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own
• VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024