Ebury
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
Ebury has used DNS requests over UDP port 53 for C2.(Citation: ESET Ebury Feb 2014) |
| Enterprise | T1059 | .006 | Command and Scripting Interpreter: Python |
Ebury has used Python to implement its DGA.(Citation: ESET Ebury Oct 2017) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Ebury has encoded C2 traffic in hexadecimal format.(Citation: ESET Ebury Feb 2014) |
| Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
Ebury has used a DGA to generate a domain name for C2.(Citation: ESET Ebury Feb 2014)(Citation: ESET Ebury Oct 2017) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.(Citation: ESET Ebury Feb 2014) |
| Enterprise | T1574 | .006 | Hijack Execution Flow: Dynamic Linker Hijacking |
Ebury has injected its dynamic library into descendent processes of sshd via LD_PRELOAD.(Citation: ESET Ebury Oct 2017) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.(Citation: ESET Ebury Oct 2017) |
| .006 | Impair Defenses: Indicator Blocking |
Ebury can hook logging functions so that nothing from the backdoor gets sent to the logging facility.(Citation: ESET Ebury Feb 2014) |
||
| Enterprise | T1556 | .003 | Modify Authentication Process: Pluggable Authentication Modules |
Ebury can deactivate PAM modules to tamper with the sshd configuration.(Citation: ESET Ebury Oct 2017) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.(Citation: ESET Ebury Feb 2014) |
| Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
Ebury has intercepted unencrypted private keys as well as private key pass-phrases.(Citation: ESET Ebury Feb 2014) |
References
- M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
- Cimpanu, C.. (2017, March 29). Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware. Retrieved April 23, 2019.
- Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
- Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.