Ebury has used DNS requests over UDP port 53 for C2.^[1]

If credentials are not collected for two weeks,Ebury encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record.^[5][4]

Ebury can use the commandsXcsh orXcls to open a shell withEbury level permissions andXxsh to open a shell with root level.^[4]

Ebury has used Python to implement its DGA.^[3]

Ebury modifies thekeyutils library to add malicious behavior to the OpenSSH client and the curl library.^[1][4]

Ebury has encoded C2 traffic in hexadecimal format.^[1]

Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.^[3]

Ebury has used a DGA to generate a domain name for C2.^[1][3]

Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.^[1]

Ebury exfiltrates a list of outbound and inbound SSH sessions using OpenSSH'sknown_host files andwtmp records.Ebury can exfiltrate SSH credentials through custom DNS queries or use the commandXcat to send the process's ssh session's credentials to the C2 server.^[5][4]

Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the infected system for three days.^[3]

WhenEbury is running as an OpenSSH server, it uses LD_PRELOAD to inject its malicious shared module in to programs launched by SSH sessions.Ebury hooks the following functions fromlibc to inject into subprocesses;system,popen,execve,execvpe,execv,execvp, andexecl.^[3][4]

Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.^[3]

Ebury hooks system functions to prevent the user from seeing malicious files (readdir,realpath,readlink,stat,open, and variants), hide process activity (ps andreaddir64), and socket activity (open andfopen).^[1][4]

Ebury disables OpenSSH, system (systemd), and audit logs (/sbin/auditd) when the backdoor is active.^[4]

Ebury can intercept private keys using a trojanizedssh-add function.^[1]

Ebury can deactivate PAM modules to tamper with the sshd configuration.^[3]

Ebury has obfuscated its strings with a simple XOR encryption with a static key.^[1]

Ebury acts as a user land rootkit using the SSH service.^[3][4]

Ebury is executed through hooking the keyutils.so file used by legitimate versions ofOpenSSH andlibcurl.^[4]

Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.^[1]

Ebury has intercepted unencrypted private keys as well as private key pass-phrases.^[1]

^[3]