top of page
Writer's picturemeowdini

Ebury Back with a Bang: Notorious Malware Gang Diversifies into Crypto Theft

For over a decade, the Ebury malware gang cast a long shadow over the cybersecurity world.  These sophisticated botnet-infected servers stole credentials and redirected web traffic for fraudulent purposes. But by 2021, Ebury seemed to vanish, leaving investigators with a cold case. Then, with a bang, Ebury reemerged, proving the adage that in the fight against cybercrime, there's no such thing as a permanent victory.


Hacker in dark room with glowing computer screens displaying code.

Evolving Tactics for a Lucrative Target

The Dutch National High Tech Crime Unit (NHTCU) stumbled upon Ebury's return while investigating a cryptocurrency theft.  ESET, a cybersecurity firm with a long history battling Ebury, was called in to assist.  Their investigation revealed a disturbing truth: Ebury had not only resurfaced, it had diversified.  The malware now targeted Bitcoin wallets and credit card details, a clear sign the criminals were adapting to exploit the booming cryptocurrency market.


A Decade-Long Cat-and-Mouse Game

ESET researcher Marc-Etienne Léveillé, who had co-authored a white paper on Ebury in 2014, was brought back into the fold.  He called Ebury "the most sophisticated Linux backdoor ever seen" by his team.  The investigation wasn't without its challenges.  ESET had been running honeypots – decoy servers designed to attract attackers – to track Ebury's movements.  However, the malware's operators were too clever.  They not only detected the honeypots but also sent a chilling message: "Hello ESET honeypot!"



Unveiling Ebury's Arsenal

Despite the setback, the investigation continued.  ESET and the NHTCU discovered that Ebury had grown significantly.  They estimated the botnet had compromised a staggering 400,000 servers since 2009, with over 100,000 still infected as of late 2023.  A single incident in 2022 saw a staggering 70,000 servers from one hosting provider compromised.  Ebury's arsenal included:


  • Man-in-the-Middle Attacks (MitM):  By intercepting network traffic, Ebury could steal login credentials and session information used to access cryptocurrency wallets.

  • Compromised Servers as Launchpads:  Ebury cleverly used previously infected servers within the same network segment to launch spoofing attacks, further masking their activities.

  • Targeting High-Value Assets:  Bitcoin and Ethereum nodes became lucrative targets.  Once a victim logged in, Ebury would automatically steal their cryptocurrency wallets.


A Complex Web of Deception

Ebury's operators were adept at covering their tracks.  They used stolen identities to rent server space and obfuscated their digital footprints.  Investigators were often led down dead ends, chasing seemingly innocent individuals.  Ebury even employed tactics like using stolen credentials from other cybercriminals to further muddy the waters.  This "cybercriminal cover" pointed investigators in the wrong direction.


The Fight Continues

The investigation remains ongoing.  The NHTCU has identified "several promising digital identities" they are actively pursuing. Léveillé, weary but determined after a decade on the case, acknowledges the challenge: "It's not closed, but I'm not sure about any individuals behind it. That's still an unknown – for me at least."

Ebury's resurgence serves as a stark reminder: the fight against cybercrime is a constant battle. As Ebury adapted to target cryptocurrency, it highlights the ever-evolving tactics of cybercriminals. While the investigation offers a glimmer of hope, Ebury's story underscores the critical need for robust cybersecurity measures and continued vigilance in the face of a persistent threat.



Source:Thenextweb




Comments


bottom of page