Ebury
Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[1][2]
ID: S0377
Type: MALWARE
Platforms: Linux
Contributors: Marc-Etienne M.Léveillé, ESET
Version: 1.0
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1116 | Code Signing |
Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[1] |
| Enterprise | T1043 | Commonly Used Port | |
| Enterprise | T1024 | Custom Cryptographic Protocol |
Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[1] |
| Enterprise | T1132 | Data Encoding | |
| Enterprise | T1089 | Disabling Security Tools | |
| Enterprise | T1483 | Domain Generation Algorithms | |
| Enterprise | T1027 | Obfuscated Files or Information |
Ebury has obfuscated its strings with a simple XOR encryption with a static key.[1] |
| Enterprise | T1145 | Private Keys |
Ebury has intercepted unencrypted private keys as well as private key pass-phrases. [1] |
| Enterprise | T1184 | SSH Hijacking |
Ebury has hijacked the OpenSSH process by injecting into the existing session as opposed to creating a new session.[1] |
| Enterprise | T1071 | Standard Application Layer Protocol |