Ebury

Malware updated 4 months ago (2024-06-28T08:18:03.087Z)

Download STIX

Preview STIX

Ebury is a sophisticated malware that has been causing havoc in the cyber world for over 15 years, with its main target being Linux servers. The first significant investigation into Ebury was conducted by ESET in 2014, revealing it as a key component of Operation Windigo. Ten years later, this threat remains potent, having compromised nearly 400,000 servers since 2009. The malware's reach has expanded beyond disruption and data theft to include financial exploitation through credit card and cryptocurrency theft. The Ebury botnet has evolved significantly over time, adding new features and expanding its toolkit for monetization. Despite infecting around 25,000 servers initially, recent findings suggest that the malware has developed advanced functionalities focusing on financial gain. If system administrators sanitize their infected servers, there's a risk that the cybercriminals behind Ebury could reinstall the malware if compromised credentials are reused. In response to the persistent threat, ESET released detection and remediation tools to help system administrators identify and deal with Ebury compromises. The Dutch National High Tech Crime Unit (NHTCU) discovered Ebury on a victim's server during a cryptocurrency theft investigation in 2021. This led to increased scrutiny of the malware and its operators. In 2015, one of the key individuals behind Ebury, Russian citizen Maxim Senak, was arrested at the Finland-Russia border and extradited to the US. Since then, remaining Ebury masterminds have maintained a low profile, but the malware continues to pose a substantial threat.

Description last updated: 2024-06-28T08:16:12.164Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Windigo is a possible alias for Ebury. Windigo is a threat actor known for its malicious campaign, Operation Windigo, which was first brought to light in a white paper published by ESET in 2014. This operation involved the use of multiple malware families, with the Ebury malware family at its core. The campaign leveraged Linux malware fo	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Botnet

Linux

Backdoor

Malware

Rootkit

Spam

Eset

Openssh

AITM

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Ebury Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	4 months ago	ESET Threat Report H1 2024
Securityaffairs	5 months ago	Security Affairs newsletter Round 472 by Pierluigi Paganini – INTERNATIONAL EDITION
ESET	5 months ago	The who, where, and how of APT attacks – Week in security with Tony Anscombe
DARKReading	5 months ago	400K Linux Servers Recruited by Resurrected Ebury Botnet
ESET	5 months ago	Ebury is alive but unseen: 400k Linux servers compromised for cryptotheft and financial gain
InfoSecurity-magazine	5 months ago	Ebury Botnet Operators Diversify with Financial and Crypto Theft
MITRE	2 years ago	CERN Computer Security Information
MITRE	2 years ago	An In‑depth Analysis of Linux/Ebury \| WeLiveSecurity
MITRE	2 years ago	Windigo Still not Windigone: An Ebury Update \| WeLiveSecurity
MITRE	2 years ago	Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware