A malware botnet called Everly It is estimated that 400,000 Linux servers have been compromised since 2009, and more than 100,000 of these remain compromised as of late 2023.
The findings come from Slovak cybersecurity firm ESET, which characterizes it as one of the most advanced server-side malware campaigns aimed at financial gain.
“Ebury attackers pursue monetization activities such as spreading spam, redirecting web traffic, and stealing credentials,” security researcher Marc-Etienne M. Léveillé said in a detailed analysis. Ta.
“Operators have also been involved in cryptocurrency heists using AitM and credit card theft through network traffic eavesdropping, commonly known as server-side web skimming.”
More than a decade ago, Ebury launched a campaign codenamed Operation Windigo that targeted Linux servers to deploy malware and used other backdoors and scripts such as Cdorked and Calfbot to redirect web traffic and send spam, respectively. It was first documented as part of a campaign called .
Then, in August 2017, a Russian named Maxim Senak was sentenced to nearly four years in prison in the United States for his role in developing and maintaining botnet malware.
“Mr. Cenarch and his co-conspirators used the Everybotnet to generate and redirect Internet traffic in order to facilitate various click fraud and spam email schemes, generating millions of dollars in fraudulent revenue. ” the U.S. Department of Justice said at the time.
“As part of the plea, Cenarch assisted the criminal organization by creating accounts at domain registrars that supported the development of the Ebury botnet infrastructure and personally profited from the traffic generated by the Ebury botnet. I admitted that.”
ESET research reveals that attackers are using methods such as SSH credential theft, credential stuffing, infiltrating hosting provider infrastructure, exploiting Control Web Panel flaws (e.g. CVE-2021-45467), and SSH adversaries. reveals the different methods used to deliver Ebury. -in-the-middle (AitM) attack.
Attackers use fake identities to cover their tracks, not to mention compromise infrastructure used by other perpetrators with malware to accomplish their goals and disrupt attribution efforts. They have also been observed using stolen IDs.
“One example is the compromise of a server responsible for collecting data from Vidar Stealer,” ESET said. “The Ebury attackers used the stolen identities obtained through Vidar Stealer to rent server infrastructure and operate, sending law enforcement in the wrong direction.”
In another example, Ebury was allegedly used to infiltrate one of the Mirai botnet creator’s systems and steal code long before it was made public.
The malware also functions as a backdoor and SSH credential stealer, giving attackers the ability to deploy additional payloads such as HelimodSteal, HelimodProxy, and HelimodRedirect to expand their presence within compromised networks. The latest known version of Ebury is 1.8.2.
“These tools have a common goal of monetizing compromised servers in a variety of ways,” ESET said. “The ways in which servers are monetized range from credit card information theft and cryptocurrency theft to traffic redirection, spamming, and credential theft.”
HelimodSteal, HelimodRedirect, and HelimodProxy are all HTTP server modules used to intercept HTTP POST requests made to a web server, redirect HTTP requests to ads, and proxy traffic to send spam. , the group has also adopted a kernel module called KernelRedirect that implements Netfilter. Hooks that modify HTTP traffic to perform redirects.
It also uses software that hides or allows malicious traffic to pass through firewalls, or to carry out large-scale AitM attacks within hosting provider data centers to infiltrate valuable targets and steal cryptocurrencies from wallets. A Perl script is also used.
HelimodSteal is designed to capture credit card data that victims submit to online stores, effectively acting as a server-side web skimmer that extracts information received by infected servers.
In another set of events, you can use Ebury or FrizzySteal to capture financial details. Ebury or FrizzySteal is a malicious shared library that is injected into libcurl and can leak requests made by a compromised server to external HTTP servers, such as payment processors.
“End-to-end encryption (HTTPS) cannot protect against this threat as both run within the web server or application,” ESET noted.
“Accessing servers used for shared hosting gives them access to a lot of unencrypted web traffic, which they use for stealth redirects and capturing details submitted in online forms.”
(Tag Translation)Cyber Security News
