Ebury is a sophisticated Linux malware, first discovered in 2011, that targets SSH servers to establish backdoor access and enable unauthorized remote control of infected systems. This malware is primarily designed to harvest credentials, such as SSH login information from compromised servers, allowing attackers to infiltrate other machines in the network. Ebury is particularly notorious for its use in large-scale botnets, where compromised systems are used for a range of malicious activities. These include sending spam, conducting Distributed Denial of Service (DDoS) attacks, deploying additional malware, and stealing sensitive information such as cryptocurrency wallets, login credentials, and credit card details.
One of Ebury’s key features is its persistence, achieved by modifying core system libraries (such as replacing libkeyutils) and employing a userland rootkit to hide its presence from system administrators. Additionally, Ebury often leverages obfuscation and encryption to disguise its communications with command-and-control servers, making detection and analysis more challenging. Its ability to silently maintain access while executing a range of malicious activities makes it a significant threat to network security.
AttackIQ has released an attack graph that emulates the behaviors exhibited by Ebury to help customers validate their security controls and their ability to defend against this threat.
Validating your security program performance against these behaviors is vital in reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against stealthy and persistent Linux threats.
- Assess their security posture against the Tactics, Techniques and Procedures (TTPs) exhibited by Ebury.
- Continuously validate detection and prevention pipelines on Linux environments.
Ebury – 2024-05 – Infection Chain
In May 2024, ESET a whitepaper that provides an in-depth analysis of Ebury Linux Malware. Ebury continues to compromise Linux servers globally for financial gain. Despite prior arrests and actions against key perpetrators, Ebury’s operations have persisted and the malware continues to evolve.
In response to this report, AttackIQ has built this attack graph to emulate Ebury’s behaviors and Tactics, Techniques and Procedures (TTPs) outlined in the whitepaper.
Initial Access & Defense Evasion – Ebury Deployment
This stage performs the download and save of the Ebury sample into the system. Then, the LD_PRELOAD environment variable is used to load a custom-crafted shared library. Subsequently, the timestamp of a temporary file is modified. Finally, a filename is modified to mimic a legitimate process.
Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.
Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006): This scenario uses the LD_PRELOAD
environment variable to load a custom-crafted shared library.
Indicator Removal: Timestomp (T1070.006): This scenario simulates the timestomp technique by creating a temporary file and modifying the file’s timestamp with a Bash script.
Masquerading: Rename System Utilities (T1036.003): This scenario copies the sh
file from standard system directories, renames it to “ping” to bypass detection, and then executes the whoami
command.
Discovery & Credential Access – Profiling the System and Obtaining Credentials
This stage begins by collecting system and network information. Next, it modifies file permissions to gain elevated access. Finally, it initiates an HTTP connection for command-and-control communications.
System Information Discovery (T1082): This scenario executes the lshw
command to collect information about the compromised system.
System Network Configuration Discovery (T1016): This scenario executes ip route
, netstat
, route
, ifconfig
or arp
to obtain information available about the systems network configuration.
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (T1222.002): This scenario executes the chmod
command to change permissions on a specified file or directory.
Application Layer Protocol: Web Protocols (T1071.001): This scenario simulates an attacker using TCP port 80
to communicate via the HTTP protocol, attempting to bypass network security defenses.
Collection and Exfiltration – Infecting Additional Systems and Exfiltrating Files
In this stage, Ebury moves laterally through compromised SSH connections to spread across the network and encrypt targeted files. Then, it starts an SSH session with an external server. Finally, it exfiltrates the collected data by compressing it with tar and sending it through DNS A records over UDP protocol.
Remote Services: SSH (T1021.004): This scenario attempts to open a remote shell and execute commands on target computers using the Secure Shell (SSH)
protocol.
Remote Services: SSH ( T1021.004 ): This scenario initiates an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): This scenario simulates the exfiltration of information over DNS using DNS A
record queries.
Opportunities to Expand Emulation Capabilities
In addition to the release attack graph, AttackIQ recommends the following scenario to extend the emulation of the capabilities exhibited by Ebury.
Dump Linux Passwords: This scenario aims to extract passwords stored in the memory of running processes on a Linux system through the /proc
file system.
Connection Proxy: This scenario simulates the use of proxies to mask communications by establishing an HTTP connection to an AttackIQ server through a user-specified proxy.
Detection and Mitigation Opportunities
With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006):
Adversaries may execute their malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries, such as LD_PRELOAD
.
1a. Detection
There are multiple detection opportunities for this technique, such as monitoring executed commands that attempt to modify the LD_PRELOAD
variable, monitoring new files added to the absolute path of LD_PRELOAD
, monitoring changes to the environment variables, and monitoring newly executed processes searching for unusual activity.
1b. Mitigation
MITRE ATT&CK recommends the following mitigation recommendations:
2. OS Credential Dumping: Proc Filesystem (T1003.007):
Adversaries may gather credentials from the proc filesystem or /proc
. When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. This can be achieved by using regex patterns. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.
2a. Detection
Monitor executed commands and arguments that may gather credentials from information stored in the Proc filesystem or /proc. For instance, adversaries may use regex patterns to search for process memory that may be exfiltrated or searched for credentials.
grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | grep -E 'heap|stack' | cut -d' ' -f 1
grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1
2b. Mitigation
MITRE ATT&CK recommends the following mitigation recommendations:
3. Remote Services: SSH (T1021.004):
Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
3a. Detection
For Linux systems, the Audit framework (auditd) can be utilized to monitor the creation of SSH-related processes, such as ssh
, and track any modifications to SSH log files, which store information about logged-in accounts. Additionally, monitoring for newly established network connections, particularly on port 22, can help detect potential SSH logins using valid accounts to access remote machines.
3b. Mitigation
MITRE ATT&CK recommends the following mitigation recommendations:
- M1042 – Disable or Remove Feature or Program
- M1032 – Multi-factor Authentication
- M1018 – User Account Management
Wrap Up
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against Ebury. With data generated from continuous testing and the use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and persistent threat.
AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.