The botnet malware tracked as Ebury has steadily expanded over the past decade, having compromised over 400,000 hosts since 2009, with about 100,000 still-infected systems identified by the end of 2023, according to SecurityWeek.
Click for more special coverage
Initially detected in 2014 with 25,000 infected systems, Ebury has survived takedown attempts and the sentencing of its developer, a report by ESET showed.
The botnet primarily targets servers, including those of hosting providers, enabling attackers to intercept and redirect SSH traffic to capture login credentials. Ebury's operators have also targeted Tor exit nodes, Bitcoin and Ethereum nodes, and network traffic to steal cryptocurrency wallets and credit card data. Recent activities involve exploiting zero-day vulnerabilities in administrator software and compromising other threat actors' infrastructure to steal exfiltrated data.
Ebury has been observed using techniques including credential stuffing, exploiting vulnerabilities like CVE-2021-45467 and Dirty COW, and using adversary-in-the-middle attacks. For monetization, Ebury's operators employ various techniques, including deploying malware like HelimodSteal and HelimodRedirect, but have recently shifted to cryptocurrency and credit card data theft, among others.