July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Adobe Illustrator Vulnerabilities
May 17, 2024ICS: Johnson Controls Software House C CURE 9000 Vulnerability
May 17, 2024Multiple Adobe Illustrator Vulnerabilities
May 17, 2024ICS: Johnson Controls Software House C CURE 9000 Vulnerability
May 17, 2024
Severity
High
Analysis Summary
The Ebury botnet, a sophisticated malware campaign targeting Linux servers, has compromised approximately 400,000 servers since 2009 with over 100,000 still affected as of late 2023.
According to cybersecurity researchers, Ebury represents one of the most advanced server-side malware operations aimed at financial gain. The malware is used for spreading spam, redirecting web traffic, stealing credentials, and conducting cryptocurrency heists via adversary-in-the-middle (AitM) and server-side web skimming attacks. This campaign initially surfaced over a decade ago as Operation Windigo, targeting Linux servers with backdoors and scripts like Cdorked and Calfbot to facilitate spam and traffic redirection.
Ebury's operations have involved complex monetization strategies, including click-fraud and spam schemes that generated millions of dollars. In 2017, Russian national Maxim Senakh was sentenced in the U.S. for his role in developing and maintaining the botnet, which included creating domain registrar accounts to support the Ebury infrastructure.
The investigation revealed various methods used by attackers to deliver Ebury, such as SSH credential theft, credential stuffing, infiltrating hosting provider infrastructure, exploiting Control Web Panel flaws, and SSH AitM attacks. Attackers also employed fake or stolen identities to obfuscate their tracks and confuse attribution efforts.
The malware, functioning as a backdoor and credential stealer allows attackers to deploy additional payloads, such as HelimodSteal, HelimodRedirect, and HelimodProxy, expanding their presence within compromised networks. Ebury has evolved over the years with the latest version, 1.8.2, introducing new obfuscation techniques, a domain generation algorithm (DGA), and a userland rootkit to better conceal its presence. These tools are primarily aimed at monetizing compromised servers through various means including credit card information theft, cryptocurrency stealing, traffic redirection, spam sending, and credential stealing.
Ebury's associated Apache HTTP server modules—HelimodSteal, HelimodRedirect, and HelimodProxy—are used to intercept HTTP POST requests, redirect traffic to ads, and proxy spam traffic. A kernel module called KernelRedirect modifies HTTP traffic to perform redirection. Attackers also employ software to hide malicious traffic and Perl scripts to carry out large-scale AitM attacks within hosting providers' data centers, targeting valuable servers to steal cryptocurrency from wallets. Between February 2022 and May 2023, as many as 200 servers across more than 75 networks in 34 countries were compromised in this manner.
Furthermore, Ebury facilitates server-side web skimming by capturing credit card data submitted to online stores via infected servers. Tools like Ebury and FrizzySteal, a malicious shared library injected into libcurl, can exfiltrate requests to external servers, bypassing end-to-end encryption (HTTPS).
The malware leverages access to servers used for shared hosting to capture unencrypted web traffic for stealthy redirection or extract sensitive details submitted in online forms. This comprehensive and multifaceted approach underscores the extensive capabilities and significant threat posed by the Ebury botnet to global cybersecurity.
Impact
- Financial Loss
- Unauthorized Access
- Credential Theft
- Identity Theft
Indicators of Compromise
MD5
- 66a89e7f45fb44213b35e436106dfd71
- e77a33419876dcd678a425fe50652eed
- 970e23b028bc6fb1322ded0b8b5b01d0
- d72751d864d283eb085083e70be59294
- 728fc6e23a1644d43c8aa564037ee89e
- 44ef105d55622f52a9f7f6278ebae891
- c321614a1144004feb76abdceb049373
- ece07f84edbde75d6883324c91b1ccdd
- e8715c88846802fb05b7904833ee18d7
SHA-256
- f36808dbd52c9074e87fd365a91168daadbb63681a08a9eeba5977f0731a1c04
- dae9068440615750cbff522faa093a320a61185320aaa3a68499f31302a52fda
- 9dba448f82bd693484fdb303694e185e9eb5b9146c0b39974aa8a8ceea0a6589
- 2596956e0eb0f1e59d3275e557caf9974942db3d6927e2215243034f5c792916
- 7a472fb0415345e9396e708621218783cb0459e7b883ab9ded648c4712aa2475
- 671c9fc9a4e82499b71cee43abfbbf86d1dc01a0dbc500f265f7867715f819f9
- 3913e9bf43ec6a73584b9d621f396ee035d8bd1d28a99421e405c226cd321b98
- 01f8a935832048a6c116b376db82a83890e6375586e830e87ca3c244b71392b5
- 7e1c91e249b5a01a726dcf97f76f2f434d60385a4a060cb0272e715c82b8d914
SHA1
- a6707c7ef12ce9b0f7152ca300ebb2bc026ce0b
- ac96adbe1b4e73c95c28d87fa46dcf55d4f8eea2
- b58725399531d38ca11d8651213b4483130c98e2
- 09c8af3be4327c83d4a7124a678bbc81e12a1de4
- 2fc132440bafdbc72f4d4e8dcb2563cc0a6e096b
- dd7846b3ec2e88083cae353c02c559e79124a745
- 9018377c0190392cc95631170efb7d688c4fd393
- 03592b8147e2c84233da47f6e957acd192b3796a
- 858c612fe020fd5089a05a3ec24a6577cbeaf7eb
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.