Ebury Botnet: 15 Years of Infecting 400,000+ Linux Servers

According to a recent report by ESET, the Ebury botnet has infected nearly 400,000 Linux servers since 2009. As of the end of 2023, approximately 100,000 servers remain at risk.

ESET researchers have been monitoring Ebury’s activities for over a decade. Significant malware updates were recorded in 2014 and 2017. A recent law enforcement operation in the Netherlands provided new insights into the activities of this long-running botnet.

“While 400,000 is a massive number, it’s important to mention that this is the number of compromises over the
course of almost 15 years. Not all of those machines were compromised at the same time. There is a constant churn
of new servers being compromised while others are being cleaned up or decommissioned,” ESET explains.

The latest Ebury attacks target hosting providers and supply chain attacks, affecting clients who rent virtual servers.

The initial compromise is carried out through attacks using stolen credentials, and once compromised, the malware steals SSH connection lists and authentication keys to access other systems.

“When the known_hosts file contains hashed information (see the HashKnownHosts OpenSSH option), the
perpetrators try to brute force its content. Out of 4.8 million known_hosts entries collected by Ebury operators,
about two million had their hostname hashed. 40% (about 800,000) of those hashed hostnames were guessed or
brute forced,” ESET experts warn.

The attacks can also exploit known vulnerabilities in server software to escalate privileges. Additionally, the infrastructure of hosting providers is effectively used by attackers to spread Ebury across containers or virtual environments.

In the next stage, malware operators intercept SSH traffic on targeted servers using ARP spoofing. When a user logs into an infected server via SSH, Ebury captures their credentials.

If the servers contain cryptocurrency wallets, Ebury uses the stolen credentials to automatically drain these wallets. In 2023, at least 200 servers, including Bitcoin and Ethereum nodes, were attacked in this manner.

Moreover, the attackers manage to employ monetization strategies within their botnet, including stealing credit card data, redirecting web traffic for ad and affiliate revenue, sending spam, and selling stolen credentials.

At the end of 2023, ESET discovered new obfuscation methods and a domain generation system that allows the botnet to evade detection and improve resilience against takedowns. Additionally, recent observations revealed the use of the following malicious modules in Ebury’s activities:

  • HelimodProxy: A proxy server for spam forwarding
  • HelimodRedirect: Redirects HTTP traffic to malicious sites
  • HelimodSteal: Steals data from HTTP POST requests
  • KernelRedirect: Modifies HTTP traffic at the kernel level
  • FrizzySteal: Intercepts and steals data from HTTP requests

ESET’s investigation was conducted in collaboration with the Dutch National High Tech Crime Unit (NHTCU), which seized a backup server used by the cybercriminals.

Dutch authorities report that Ebury operators use fake or stolen identities, sometimes impersonating other cybercriminals to confuse the investigation. The investigation is ongoing, but no specific charges have been filed yet.