Ebury

Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[1][2][3]

Techniques Used

Domain ID Name Use
Enterprise VT0014 Compromise Client Software Binary

Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.[1]

Enterprise VT0027 .001 Encrypted Channel: Symmetric Cryptography

Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[1]

Enterprise VT0016 .002 Subvert Trust Controls: Code Signing

Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[1]

Enterprise VT0017 .004 Unsecured Credentials: Private Keys

Ebury has intercepted unencrypted private keys as well as private key pass-phrases.[1]

References

Attachments

ID
VS0017
Type
MALWARE
Platforms
Linux
Version
1.3

Created: 09 May 2021

Last Modified: 09 May 2021