1. Home
  2. Software
  3. Ebury

Ebury

Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[1][2][3]

ID: S0377
Type: MALWARE
Platforms: Linux
Contributors: Marc-Etienne M.Léveillé, ESET
Version: 1.3
Created: 19 April 2019
Last Modified: 23 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

Ebury has used DNS requests over UDP port 53 for C2.[1]

Enterprise T1020 Automated Exfiltration

Ebury can automatically exfiltrate gathered SSH credentials.[4]
Enterprise T1059 .006 Command and Scripting Interpreter: Python

Ebury has used Python to implement its DGA.[3]

Enterprise T1554 Compromise Client Software Binary

Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Ebury has encoded C2 traffic in hexadecimal format.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.[3]
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Ebury has used a DGA to generate a domain name for C2.[1][3]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[1]
Enterprise T1041 Exfiltration Over C2 Channel

Ebury can exfiltrate SSH credentials through custom DNS queries.[4]
Enterprise T1008 Fallback Channels

Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the infected system for three days.[3]
Enterprise T1083 File and Directory Discovery

Ebury can list directory entries.[3]

Enterprise T1574 .006 Hijack Execution Flow: Dynamic Linker Hijacking

Ebury has injected its dynamic library into descendent processes of sshd via LD_PRELOAD.[3]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.[3]
.006 Impair Defenses: Indicator Blocking

Ebury can hook logging functions so that nothing from the backdoor gets sent to the logging facility.[1]

Enterprise T1556 Modify Authentication Process

Ebury can intercept private keys using a trojanized ssh-add function.[1]
.003 Pluggable Authentication Modules

Ebury can deactivate PAM modules to tamper with the sshd configuration.[3]
Enterprise T1027 Obfuscated Files or Information

Ebury has obfuscated its strings with a simple XOR encryption with a static key.[1]
Enterprise T1014 Rootkit

Ebury has used user mode rootkit techniques to remain hidden on the system.[3]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[1]
Enterprise T1552 .004 Unsecured Credentials: Private Keys

Ebury has intercepted unencrypted private keys as well as private key pass-phrases.[1]

Groups That Use This Software

ID Name References
G0124 Windigo

[3]

References

  1. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  2. Cimpanu, C.. (2017, March 29). Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware. Retrieved April 23, 2019.
  1. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  2. Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.