Thousands of Linux servers are still infected by Ebury, a decades-old data-stealing malware that was thought to be extinct.
Ebury is sophisticated malware designed to compromise Linux-based systems, particularly servers. It is a type of backdoor and credential-stealing malware that allows attackers to gain unauthorized access to compromised systems.
Ebury developers are financially motivated and of late are also expanding into the cryptocurrency space. Ebury also appears to be used for spam and redirection of web traffic.
Approach hosting providers
When ESET cybersecurity researchers first reported on Ebury a decade ago, the report resulted in the arrest of the malware's operators. However, that didn't stop the malware from updating and growing in the years since. In total, since 2009, some 400,000 Linux servers have been infected by this backdoor.
At the end of last year, more than 100,000 terminals were thought to still be carrying the infection, according to a monitoring report (PDF) that ESET published earlier this week.
Investigators found that Ebury's key victims appear to be accommodation providers. “The gang takes advantage of their access to the hosting provider's infrastructure to install Ebury on all the servers rented by that provider,” they explained. As part of an experiment, they rented a virtual server and suffered an infection within a week.
“Another interesting method is the use of an adversary in the middle to intercept SSH traffic from interesting targets within data centers and redirect it to a server used to capture credentials,” they added.
Last year, Ebury operators attacked more than 200 servers. Among the targets were many Bitcoin and Ethereum nodes, as one of Ebury's main features was to automatically steal cryptocurrency wallets hosted on the target server, as soon as the victim logs in with a password.
Through beepcomputer