S0377 Ebury
Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).123
| Item | Value |
|---|---|
| ID | S0377 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 19 April 2019 |
| Last Modified | 23 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.004 | DNS | Ebury has used DNS requests over UDP port 53 for C2.1 |
| enterprise | T1020 | Automated Exfiltration | Ebury can automatically exfiltrate gathered SSH credentials.4 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.006 | Python | Ebury has used Python to implement its DGA.3 |
| enterprise | T1554 | Compromise Client Software Binary | Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Ebury has encoded C2 traffic in hexadecimal format.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.3 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | Ebury has used a DGA to generate a domain name for C2.13 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Ebury can exfiltrate SSH credentials through custom DNS queries.4 |
| enterprise | T1008 | Fallback Channels | Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn’t connected to the infected system for three days.3 |
| enterprise | T1083 | File and Directory Discovery | Ebury can list directory entries.3 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.006 | Dynamic Linker Hijacking | Ebury has injected its dynamic library into descendent processes of sshd via LD_PRELOAD.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.3 |
| enterprise | T1562.006 | Indicator Blocking | Ebury can hook logging functions so that nothing from the backdoor gets sent to the logging facility.1 |
| enterprise | T1556 | Modify Authentication Process | Ebury can intercept private keys using a trojanized ssh-add function.1 |
| enterprise | T1556.003 | Pluggable Authentication Modules | Ebury can deactivate PAM modules to tamper with the sshd configuration.3 |
| enterprise | T1027 | Obfuscated Files or Information | Ebury has obfuscated its strings with a simple XOR encryption with a static key.1 |
| enterprise | T1014 | Rootkit | Ebury has used user mode rootkit techniques to remain hidden on the system.3 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.004 | Private Keys | Ebury has intercepted unencrypted private keys as well as private key pass-phrases.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0124 | Windigo | 3 |
References
-
M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019. ↩↩↩↩↩↩↩↩↩↩↩
-
Cimpanu, C.. (2017, March 29). Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware. Retrieved April 23, 2019. ↩
-
Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021. ↩↩↩↩↩↩↩↩↩↩↩
-
Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021. ↩↩