Register to stream ATT&CKcon 2.0 October 29-30


Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[1][2]

ID: S0377
Platforms: Linux
Contributors: Marc-Etienne M.Léveillé, ESET
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems. [1]
Enterprise T1043 Commonly Used Port Ebury has used UDP port 53 for C2. [1]
Enterprise T1024 Custom Cryptographic Protocol Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string. [1]
Enterprise T1132 Data Encoding Ebury has encoded C2 traffic. [1]
Enterprise T1089 Disabling Security Tools Ebury has disabled logging when the backdoor is used. [1]
Enterprise T1483 Domain Generation Algorithms Ebury has used a DGA to generate a domain name for C2. [1]
Enterprise T1027 Obfuscated Files or Information Ebury has obfuscated its strings with a simple XOR encryption with a static key. [1]
Enterprise T1145 Private Keys Ebury has intercepted unencrypted private keys as well as private key pass-phrases. [1]
Enterprise T1184 SSH Hijacking Ebury has hijacked the OpenSSH process by injecting into the existing session as opposed to creating a new session. [1]
Enterprise T1071 Standard Application Layer Protocol Ebury has used DNS requests over UDP port 53. [1]