SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.ebury (Back to overview)

Ebury


This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.

This family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.

References
2021-04-21CSIRT ItaliaCSIRT Italia
@online{italia:20210421:windigo:213e6a9, author = {CSIRT Italia}, title = {{Windigo footprints: an Ebury variant}}, date = {2021-04-21}, organization = {CSIRT Italia}, url = {https://csirt.gov.it/data/cms/posts/582/attachments/66ca2e9a-68cd-4df5-81a2-674c31a699c2/download}, language = {English}, urldate = {2021-04-28} } Windigo footprints: an Ebury variant
Ebury
2019-06-04CERNCERN Computer Security
@online{security:20190604:20190604:6a1c7d2, author = {CERN Computer Security}, title = {{2019/06/04 Advisory: Windigo attacks}}, date = {2019-06-04}, organization = {CERN}, url = {https://security.web.cern.ch/security/advisories/windigo/windigo.shtml}, language = {English}, urldate = {2020-01-06} } 2019/06/04 Advisory: Windigo attacks
Ebury
2018-12-05ESET ResearchMarc-Etienne M.Léveillé
@online{mlveill:20181205:dark:ac089e8, author = {Marc-Etienne M.Léveillé}, title = {{The Dark Side of the ForSSHe}}, date = {2018-12-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/}, language = {English}, urldate = {2019-11-14} } The Dark Side of the ForSSHe
Ebury
2018-12-01ESET ResearchRomain Dumont, Marc-Etienne M.Léveillé, Hugo Porcher
@techreport{dumont:20181201:dark:20efc15, author = {Romain Dumont and Marc-Etienne M.Léveillé and Hugo Porcher}, title = {{THE DARK SIDE OF THE FORSSHE: A landscape of OpenSSH backdoors}}, date = {2018-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf}, language = {English}, urldate = {2020-01-09} } THE DARK SIDE OF THE FORSSHE: A landscape of OpenSSH backdoors
Ebury
2017-10-30ESET ResearchFrédéric Vachon
@online{vachon:20171030:windigo:70e8015, author = {Frédéric Vachon}, title = {{Windigo Still not Windigone: An Ebury Update}}, date = {2017-10-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/}, language = {English}, urldate = {2019-11-14} } Windigo Still not Windigone: An Ebury Update
Ebury
2017-03-28Department of JusticeOffice of Public Affairs
@online{affairs:20170328:russian:e9c593c, author = {Office of Public Affairs}, title = {{Russian Citizen Pleads Guilty for Involvement in Global Botnet Conspiracy}}, date = {2017-03-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy}, language = {English}, urldate = {2020-01-07} } Russian Citizen Pleads Guilty for Involvement in Global Botnet Conspiracy
Ebury
2014-03ESET ResearchOlivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Etienne M.Léveillé, Benjamin Vanheuverzwijn
@techreport{bilodeau:201403:operation:40b7f42, author = {Olivier Bilodeau and Pierre-Marc Bureau and Joan Calvet and Alexis Dorais-Joncas and Marc-Etienne M.Léveillé and Benjamin Vanheuverzwijn}, title = {{OPERATION WINDIGO}}, date = {2014-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf}, language = {English}, urldate = {2020-01-08} } OPERATION WINDIGO
Ebury
2014-02-21ESET ResearchMarc-Etienne M.Léveillé
@online{mlveill:20140221:indepth:3ee584f, author = {Marc-Etienne M.Léveillé}, title = {{An In‑depth Analysis of Linux/Ebury}}, date = {2014-02-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/}, language = {English}, urldate = {2019-11-14} } An In‑depth Analysis of Linux/Ebury
Ebury

There is no Yara-Signature yet.