Skip to content

S0377 Ebury

Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).123

Item Value
ID S0377
Associated Names
Version 1.3
Created 19 April 2019
Last Modified 23 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS Ebury has used DNS requests over UDP port 53 for C2.1
enterprise T1020 Automated Exfiltration Ebury can automatically exfiltrate gathered SSH credentials.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.006 Python Ebury has used Python to implement its DGA.3
enterprise T1554 Compromise Client Software Binary Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Ebury has encoded C2 traffic in hexadecimal format.1
enterprise T1140 Deobfuscate/Decode Files or Information Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.3
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms Ebury has used a DGA to generate a domain name for C2.13
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.1
enterprise T1041 Exfiltration Over C2 Channel Ebury can exfiltrate SSH credentials through custom DNS queries.4
enterprise T1008 Fallback Channels Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn’t connected to the infected system for three days.3
enterprise T1083 File and Directory Discovery Ebury can list directory entries.3
enterprise T1574 Hijack Execution Flow -
enterprise T1574.006 Dynamic Linker Hijacking Ebury has injected its dynamic library into descendent processes of sshd via LD_PRELOAD.3
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.3
enterprise T1562.006 Indicator Blocking Ebury can hook logging functions so that nothing from the backdoor gets sent to the logging facility.1
enterprise T1556 Modify Authentication Process Ebury can intercept private keys using a trojanized ssh-add function.1
enterprise T1556.003 Pluggable Authentication Modules Ebury can deactivate PAM modules to tamper with the sshd configuration.3
enterprise T1027 Obfuscated Files or Information Ebury has obfuscated its strings with a simple XOR encryption with a static key.1
enterprise T1014 Rootkit Ebury has used user mode rootkit techniques to remain hidden on the system.3
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.004 Private Keys Ebury has intercepted unencrypted private keys as well as private key pass-phrases.1

Groups That Use This Software

ID Name References
G0124 Windigo 3