Thousands of Linux servers are still infected by Ebury, a decades-old information-stealing malware that was thought to be extinct.
Ebury is an advanced piece of malware designed to compromise Linux-based systems, especially servers. It is a type of backdoor and credential-stealing malware that allows attackers to gain unauthorized access to compromised systems.
The developers of Ebury are financially motivated and are also expanding into the cryptocurrency space in newer times. Ebury also appears to be used for spam and web traffic redirection.
Aimed at hosting providers
When ESET cybersecurity researchers first reported on Ebury a decade ago, the report resulted in the arrest of the malware’s operators. However, that didn’t stop the malware from being updated and growing in the years that followed. Cumulatively, approximately 400,000 Linux-powered servers have been infected by this backdoor since 2009.
At the end of last year, more than 100,000 endpoints were still believed to be carrying the infection, according to a follow-up report (pdf) that ESET published earlier this week.
Ebury’s main victims appear to be hosting providers, the researchers found. “The gang uses access to the hosting provider’s infrastructure to install Ebury on all servers rented by that provider,” they explained. As part of an experiment, they rented a virtual server and contracted an infection within a week.
“Another interesting method is to use an adversary in the middle to intercept SSH traffic from targets of interest in data centers and redirect it to a server used to capture credentials,” she added.
Last year, more than 200 servers were targeted by Ebury operators. The targets included many Bitcoin and Ethereum nodes, as one of Ebury’s key features was automatically stealing cryptocurrency wallets hosted on the targeted server as soon as the victim logged in with a password.
Through BleepingComputer