Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Ebury (SSH backdoor) – Malware

July 12, 2024
Reading Time: 10 mins read
in Malware
Ebury (SSH backdoor) – Malware

Ebury

Type of Malware

OpenSSH backdoor and credential stealer

Date of initial activity

2011

Country of Origin

Unknown

Motivation

Financial gain. The monetization strategies vary, though, and they also include stealing credit card information entered into payment sites, redirecting web traffic to generate revenue from ads and affiliate programs, using compromised servers to send spam, and selling the captured credentials.

Type of information Stolen

Financial Information, Login Credentials, Cryptocurrencies

Tools

The initial compromise is performed via credential stuffing attacks, using stolen credentials to log into the servers.

Targeted System

Linux

Overview

Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, allowing them to replace SSH binaries (such as ssh, sshd, ssh-add) or modify a shared library used by OpenSSH (libkeyutils). This payload was used to compromise kernel.org in August 2011 and later affected cPanel Support, leading to the infection of numerous cPanel servers. It is a credential-stealing payload that captures SSH keys, passwords, and potentially other credentials. Ebury is part of a broader suite of tools detailed in the “Operation Windigo” whitepaper by ESET. A decade ago, ESET researchers raised awareness of Ebury through this whitepaper, which documented a campaign leveraging Linux malware for financial gain. Despite the arrest and conviction of one of the Ebury perpetrators following the publication, the botnet continued to expand.

Targets

Among the victims are many hosting providers and data centers.

How they operate

The initial compromise is performed via credential stuffing attacks, where attackers use stolen credentials to log into servers. Once a server is compromised, the malware exfiltrates a list of inbound and outbound SSH connections from wtmp and the known_hosts file and steals SSH authentication keys, which are then used to attempt logins on other systems. Alternatively, attackers may exploit known vulnerabilities in the server software to gain further access or elevate their privileges. In the next phase, the malware operators intercept SSH traffic on targeted servers within data centers using Address Resolution Protocol (ARP) spoofing to redirect traffic to a server under their control. When a user logs into a compromised server via SSH, Ebury captures the login credentials. If the compromised servers host cryptocurrency wallets, Ebury uses the captured credentials to empty the wallets automatically. ESET reports that Ebury targeted at least 200 servers using this method throughout 2023, including Bitcoin and Ethereum nodes. Monetization strategies vary and include stealing credit card information from payment sites, redirecting web traffic to generate revenue from ads and affiliate programs, using compromised servers to send spam, and selling captured credentials. In late 2023, ESET observed the introduction of new obfuscation techniques and a domain generation algorithm (DGA) system that allows the botnet to evade detection and improve its resilience against blocks. The malware modules spread via the Ebury botnet, based on ESET’s latest observations, include: HelimodProxy: Proxies raw traffic and relays spam by modifying the mod_dir.so Apache module, allowing the compromised server to run arbitrary commands and support spam campaigns. HelimodRedirect: Redirects HTTP traffic to attacker-controlled websites by modifying various Apache and nginx modules to redirect a small percentage of web traffic to malicious sites. HelimodSteal: Exfiltrates sensitive information from HTTP POST requests by adding an input filter that intercepts and steals data submitted via web forms, such as login credentials and payment details. KernelRedirect: Modifies HTTP traffic at the kernel level to redirect visitors by using a Linux kernel module that hooks into Netfilter, changing the Location header in HTTP responses to redirect users to malicious URLs. FrizzySteal: Intercepts and exfiltrates HTTP requests by hooking into libcurl, enabling it to capture and steal data from HTTP requests made by the compromised server.
References:
  • Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain
Tags: BackdoorCPanelcredentialcredential stealerData CentersEburyHTTPkernel.orglibcurllibkeyutilsLinuxloginMalwareOpenSSHSSH binariesstuffing attacksvictimsVulnerabilities
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial