A malware botnet known as 'Ebury' has infected almost 400,000 Linux servers since 2009, with roughly 100,000 still compromised as of late 2023.
Below are the Ebury infections logged by ESET since 2009, showing a notable growth in the volume of infections over time.
In the latest update published today, ESET reports that a recent law enforcement action allowed them to gain insight into the malware operation's activities over the past fifteen years.
Recent Ebury attacks show a preference by the operators to breach hosting providers and perform supply chain attacks to clients renting virtual servers on the compromised provider.
The initial compromise is performed via credential stuffing attacks, using stolen credentials to log into the servers.
Once a server is compromised, the malware exfiltrates a list of inbound/outband SSH connections from wtmp and the known hosts file and steals SSH authentication keys, which are then used to try to log into other systems.
And where possible, the attackers may also exploit known vulnerabilities in the software running on the servers to gain further access or elevate their privileges.
The hosting provider's infrastructure, including OpenVZ or container hosts, can be leveraged to deploy Ebury across multiple containers or virtual environments.
In the next phase, the malware operators intercept SSH traffic on the targeted servers within those data centers by using Address Resolution Protocol spoofing to redirect traffic to a server under their control.
Once a user logs into a compromised server via SSH, Ebury captures the login credentials.
In cases where servers host cryptocurrency wallets, Ebury uses the captured credentials to empty the wallets automatically.
ESET says Ebury targeted at least 200 servers using this method throughout 2023, including Bitcoin and Ethereum nodes.
The monetization strategies vary and they also include stealing credit card information entered into payment sites, redirecting web traffic to generate revenue from ads and affiliate programs, using compromised servers to send spam, and selling the captured credentials.
Allowing the compromised server to run arbitrary commands and support spam campaigns.
KernelRedirect: Modifies HTTP traffic at the kernel level to redirect visitors by using a Linux kernel module that hooks into Netfilter, changing the Location header in HTTP responses to redirect users to malicious URLs.
FrizzySteal: Intercepts and exfiltrates HTTP requests by hooking into libcurl, enabling it to capture and steal data from HTTP requests made by the compromised server.
ESET's latest investigation was carried out in collaboration with the Dutch National High Tech Crime Unit, which recently seized a backup server used by the cybercriminals.
The Dutch authorities say Ebury actors use fake or stolen identities, even assuming the monikers of other cybercriminals sometimes to mislead law enforcement.
The NHTCU is investigating evidence found in that server, including virtual machines containing web browsing artifacts such as history and saved logins, but no concrete attributions have been made yet.
DinodasRAT malware targets Linux servers in espionage campaign.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 14 May 2024 16:35:24 +0000