Ebury
Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .004 | Application Layer Protocol: DNS | |
| Enterprise | T1554 | Compromise Client Software Binary |
Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.[1] |
|
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
| Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms | |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[1] |
| Enterprise | T1562 | .002 | Impair Defenses: Disable Windows Event Logging | |
| Enterprise | T1556 | Modify Authentication Process |
Ebury can intercept private keys using a trojanized |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Ebury has obfuscated its strings with a simple XOR encryption with a static key.[1] |
|
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[1] |
| Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
Ebury has intercepted unencrypted private keys as well as private key pass-phrases.[1] |