Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[1][2][3]

ID: S0377
Platforms: Linux
Contributors: Marc-Etienne M.Léveillé, ESET
Version: 1.3
Created: 19 April 2019
Last Modified: 23 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

Ebury has used DNS requests over UDP port 53 for C2.[1]

Enterprise T1020 Automated Exfiltration

Ebury can automatically exfiltrate gathered SSH credentials.[4]

Enterprise T1059 .006 Command and Scripting Interpreter: Python

Ebury has used Python to implement its DGA.[3]

Enterprise T1554 Compromise Client Software Binary

Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Ebury has encoded C2 traffic in hexadecimal format.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.[3]

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Ebury has used a DGA to generate a domain name for C2.[1][3]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Ebury can exfiltrate SSH credentials through custom DNS queries.[4]

Enterprise T1008 Fallback Channels

Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the infected system for three days.[3]

Enterprise T1083 File and Directory Discovery

Ebury can list directory entries.[3]

Enterprise T1574 .006 Hijack Execution Flow: Dynamic Linker Hijacking

Ebury has injected its dynamic library into descendent processes of sshd via LD_PRELOAD.[3]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.[3]

.006 Impair Defenses: Indicator Blocking

Ebury can hook logging functions so that nothing from the backdoor gets sent to the logging facility.[1]

Enterprise T1556 Modify Authentication Process

Ebury can intercept private keys using a trojanized ssh-add function.[1]

.003 Pluggable Authentication Modules

Ebury can deactivate PAM modules to tamper with the sshd configuration.[3]

Enterprise T1027 Obfuscated Files or Information

Ebury has obfuscated its strings with a simple XOR encryption with a static key.[1]

Enterprise T1014 Rootkit

Ebury has used user mode rootkit techniques to remain hidden on the system.[3]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[1]

Enterprise T1552 .004 Unsecured Credentials: Private Keys

Ebury has intercepted unencrypted private keys as well as private key pass-phrases.[1]

Groups That Use This Software

ID Name References
G0124 Windigo