Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).^[1]^[2]

ID: S0377

Type: MALWARE

Platforms: Linux

Contributors: Marc-Etienne M.Léveillé, ESET

Version: 1.1

Created: 19 April 2019

Last Modified: 28 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.004	Application Layer Protocol: DNS	Ebury has used DNS requests over UDP port 53 for C2.^[1]
Enterprise	T1554		Compromise Client Software Binary	Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	Ebury has encoded C2 traffic in hexadecimal format.^[1]
Enterprise	T1568	.002	Dynamic Resolution: Domain Generation Algorithms	Ebury has used a DGA to generate a domain name for C2.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.^[1]
Enterprise	T1562	.002	Impair Defenses: Disable Windows Event Logging	Ebury has disabled logging when the backdoor is used.^[1]
Enterprise	T1027		Obfuscated Files or Information	Ebury has obfuscated its strings with a simple XOR encryption with a static key.^[1]
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.^[1]
Enterprise	T1552	.004	Unsecured Credentials: Private Keys	Ebury has intercepted unencrypted private keys as well as private key pass-phrases.^[1]

References

M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.

Cimpanu, C.. (2017, March 29). Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware. Retrieved April 23, 2019.

Ebury

Enterprise Layer

Techniques Used

References