S0377 Ebury
Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by Windigo. Ebury is primarily installed through modifying shared libraries (.so files) executed by the legitimate OpenSSH program. First seen in 2009, Ebury has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.2143
| Item | Value |
|---|---|
| ID | S0377 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 19 April 2019 |
| Last Modified | 20 September 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.004 | DNS | Ebury has used DNS requests over UDP port 53 for C2.2 |
| enterprise | T1020 | Automated Exfiltration | If credentials are not collected for two weeks, Ebury encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record.53 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | Ebury can use the commands Xcsh or Xcls to open a shell with Ebury level permissions and Xxsh to open a shell with root level.3 |
| enterprise | T1059.006 | Python | Ebury has used Python to implement its DGA.4 |
| enterprise | T1554 | Compromise Host Software Binary | Ebury modifies the keyutils library to add malicious behavior to the OpenSSH client and the curl library.23 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Ebury has encoded C2 traffic in hexadecimal format.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.4 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | Ebury has used a DGA to generate a domain name for C2.24 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Ebury exfiltrates a list of outbound and inbound SSH sessions using OpenSSH’s known_host files and wtmp records. Ebury can exfiltrate SSH credentials through custom DNS queries or use the command Xcat to send the process’s ssh session’s credentials to the C2 server.53 |
| enterprise | T1008 | Fallback Channels | Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn’t connected to the infected system for three days.4 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.006 | Dynamic Linker Hijacking | When Ebury is running as an OpenSSH server, it uses LD_PRELOAD to inject its malicious shared module in to programs launched by SSH sessions. Ebury hooks the following functions from libc to inject into subprocesses; system, popen, execve, execvpe, execv, execvp, and execl.43 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.4 |
| enterprise | T1562.006 | Indicator Blocking | Ebury hooks system functions to prevent the user from seeing malicious files (readdir, realpath, readlink, stat, open, and variants), hide process activity (ps and readdir64), and socket activity (open and fopen).23 |
| enterprise | T1562.012 | Disable or Modify Linux Audit System | Ebury disables OpenSSH, system (systemd), and audit logs (/sbin/auditd) when the backdoor is active.3 |
| enterprise | T1556 | Modify Authentication Process | Ebury can intercept private keys using a trojanized ssh-add function.2 |
| enterprise | T1556.003 | Pluggable Authentication Modules | Ebury can deactivate PAM modules to tamper with the sshd configuration.4 |
| enterprise | T1027 | Obfuscated Files or Information | Ebury has obfuscated its strings with a simple XOR encryption with a static key.2 |
| enterprise | T1014 | Rootkit | Ebury acts as a user land rootkit using the SSH service.43 |
| enterprise | T1129 | Shared Modules | Ebury is executed through hooking the keyutils.so file used by legitimate versions of OpenSSH and libcurl.3 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.2 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.004 | Private Keys | Ebury has intercepted unencrypted private keys as well as private key pass-phrases.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0124 | Windigo | 4 |
References
-
Cimpanu, C.. (2017, March 29). Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware. Retrieved April 23, 2019. ↩
-
M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019. ↩↩↩↩↩↩↩↩↩↩↩
-
Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024. ↩↩↩↩↩↩↩↩↩↩
-
Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021. ↩↩↩↩↩↩↩↩↩↩
-
Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021. ↩↩