Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[1][2]

ID: S0377
Contributors: Marc-Etienne M.Léveillé, ESET

Platforms: Linux

Version: 1.0

Techniques Used

EnterpriseT1116Code SigningEbury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[1]
EnterpriseT1043Commonly Used PortEbury has used UDP port 53 for C2. [1]
EnterpriseT1024Custom Cryptographic ProtocolEbury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[1]
EnterpriseT1132Data EncodingEbury has encoded C2 traffic. [1]
EnterpriseT1089Disabling Security ToolsEbury has disabled logging when the backdoor is used. [1]
EnterpriseT1483Domain Generation AlgorithmsEbury has used a DGA to generate a domain name for C2.[1]
EnterpriseT1027Obfuscated Files or InformationEbury has obfuscated its strings with a simple XOR encryption with a static key.[1]
EnterpriseT1145Private KeysEbury has intercepted unencrypted private keys as well as private key pass-phrases. [1]
EnterpriseT1184SSH HijackingEbury has hijacked the OpenSSH process by injecting into the existing session as opposed to creating a new session.[1]
EnterpriseT1071Standard Application Layer ProtocolEbury has used DNS requests over UDP port 53. [1]