15 May 2024

Ebury botnet infects 400K Linux servers for cryptocurrency theft


Ebury botnet infects 400K Linux servers for cryptocurrency theft

ESET researchers published details on a decade-long botnet operation, which has infected nearly 400,000 Linux servers since its inception in 2009. Despite the arrest of one perpetrator after the initial exposure in 2014, the malware has continued to thrive, morphing and expanding its reach for financial gain.

Ebury is an OpenSSH backdoor and credential stealer, with roughly 100,000 servers still compromised as of late 2023. ESET said that it has observed significant updates in the malware capabilities over the years, notably in 2014 and 2017.

Ebury leverages its access to hosting provider infrastructures, where it installs itself across rented servers within days. The malware employs sophisticated tactics, such as intercepting SSH traffic within data centers and utilizing compromised servers for ARP spoofing, to propagate itself and steal credentials.

“Ebury operators leverage existing Ebury-compromised servers in the same network segment as their target to perform ARP spoofing,” the report said. “According to internet telemetry, more than 200 servers were targeted in 2023. Among the targets are Bitcoin and Ethereum nodes. Ebury automatically steals cryptocurrency wallets hosted on the targeted server once the victim types the password to log into it.”

Over the years, Ebury's arsenal has been upgraded with new techniques and updates, including version 1.8 released in late 2023. This update introduces enhanced obfuscation methods, a new domain generation algorithm (DGA), and improvements to its userland rootkit, rendering it even more challenging for system administrators to detect.


Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024