Ebury

Malware Profile Updated 3 days ago
Download STIX
Preview STIX
Ebury is a malicious software (malware) first identified in 2011, specifically designed to target UNIX-like operating systems such as Linux, FreeBSD, and Solaris. Over its lifetime, the malware has infected approximately 25,000 servers, with activity significantly increasing in 2023 compared to 2021. Ebury's primary function is to steal cryptocurrency wallets hosted on targeted servers once the victim logs into them. The malware also leverages compromised servers within the same network segment to perform Address Resolution Protocol (ARP) spoofing, allowing it to deploy various types of attacks. The Ebury group continually evolved its infection and monetization methods, which proved fruitful, as evidenced by the increased activity in 2023. A significant development was the release of a new major version update, 1.8, first seen in late 2023. This update introduced new obfuscation techniques, a new domain generation algorithm (DGA), and improvements in the userland rootkit used by Ebury to hide itself from system administrators. Furthermore, the ESET report noted new propagation methods employed after 2021, indicating the group's adaptive approach to maintaining and expanding its botnet. Maxim Senakh, a 41-year-old from Velikii Novgorod, Russia, has pleaded guilty for his role in creating and maintaining the Ebury malware, following legal proceedings in the US. Senakh confessed to collaborating with other unnamed co-conspirators in the development and deployment of this damaging malware. The confession marks a significant milestone in the fight against cybercrime, highlighting the global efforts to hold accountable those responsible for creating and spreading harmful malware like Ebury.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Windigo
3
Windigo is a threat actor, known for its malicious cyber activities that primarily target Linux servers. The first known attack by Windigo dates back to 2011 when the Ebury malware was discovered during an attack on the Linux Foundation. In 2014, cybersecurity firm ESET published a white paper title
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Botnet
Linux
Malware
Rootkit
Eset
Spam
Openssh
AITM
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ebury Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Windigo Still not Windigone: An Ebury Update | WeLiveSecurity
MITRE
a year ago
An In‑depth Analysis of Linux/Ebury | WeLiveSecurity
MITRE
a year ago
Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware
ESET
2 days ago
Ebury is alive but unseen: 400k Linux servers compromised for cryptotheft and financial gain
InfoSecurity-magazine
3 days ago
Ebury Botnet Operators Diversify with Financial and Crypto Theft
MITRE
a year ago
CERN Computer Security Information
DARKReading
7 hours ago
400K Linux Servers Recruited by Resurrected Ebury Botnet