| Ebury - openssh backdoor + credential stealer |
| Ebury runs a Perl script through ssh to perform reconniassance, wipe logs, detect honeypots, detect LD_PRELOAD, and ForceCommand OpenSSH option |
| Ebury enumerates Linux distribution and version |
| Ebury enumerates installed software |
| Ebury checks for other known OpenSSH backdoors |
| Ebury checks /usr/bin/ssh and /usr/sbin/sshd for byte patterns indicating other backdoors |
| this is a large amount of signatures for specific families as well as generic signatures to detect unknown strains |
| Ebury will steal credentials from other openssh backdoors |
| Ebury checks for rootkits by comparing /proc/modules and /sys/module |
| Ebury alters package manager metadata (debsums, rpm) to make it look legitimate |
| Ebury waits a few days before embedding after the recon script is ran |
| Ebury backdoor sends daily collections of credentials collected and data on how the system was ran (last command, .bash_history, …) |
| Eset researchers translated signatures from the recon script to YARA rules to help hunt. |
| some of the signatures were difficult to implement as YARA rules and had high percentage of false positive |
| signatures were iterated and made better over time. |
| Bonadan uses code from Onderon - lots of relationships like this observed |
| strings and code obfuscation |
| Some samples used UPX |
| XOR string encryption was the most common |
| several samples used stack strings to obfuscate strings |
| client-based malware hooked these functions: userauth_passwd, ssh_askpass, try_challenge_response_authentication, input_userauth_info_req, input_userauth_passwd_chagereq |
| in a few rare cases, load_identity_file steals passphrases from private keys |
| server-based malware hooked: auth_password, sshpam_respond, sys_auth_passwd, sshpam_auth_passwd, server_listen |
| almost every sample stored the credentials to a local file. |
| the path of the stolen credentials usually blended in with the filesystem |
| lots of code reuse with publicly-available PoCs |
| commonly found in /usr/include or /usr/share. |
| many logs have .h file extensions |
| /usr/lib with a .so extension |
| /usr/share/man with a .gz extension |
| tmp w various extensions |
| /usr/local/include with .h extension |
| many encrypted the file contents with simple methods: xor, not, sub w/ single byte key, |
| AES - Atollon malware |
| 3DES - Bespin malware |
| RC4 - Crait malware |
| many log files shared the same formats: |
| “+user: %s +password: %s\n” |
| “+host: %s + +user: %s +password: %s\n” |
| “ssh: ~(av[%d]: %s\n” |
| “IN: %s at: %s | user: %s, pass: %s\n” |
| “user:password -> %s:%s\n” |
| “passwd from: %s \tuser: %s \tpass: %s \n” |
| “%s:%s\n” |
| 9 out of the 21 backdoors observed exfiltrated credentials over the network in addition to saving to a file. |
| HTTP |
| Custom TCP protocol |
| Custom UDP protocol |
| used common ports such as 80, 443, 1194 (OpenVPN) |
| Kessel malware exfiltrated over DNS |
| some client backdoors used email using the mail command |
| most families added a hard-coded password to retain access |
| many were hard coded |
| some protected the password with crypt() or bcrypt() |
| some protected the password with md5 |
| many backdoors tampered with sshd to allow root logons despite the configuration of sshd_config |
| auth_root_allowed |
| do_setusercontext |
| permanently_set_uid |
| getpwnamallow |
| userauth_finish |
| many had settings that turned off logging while the attacker’s account was logged in |
| this includes sshd logging and setting HISTFILE/HISTSIZE environment variables |
| hooked logging functions: do_log, record_login, record_logout, auth_log, login_write, do_pam_session, |
| sshpam_cleanup, sshpam_auth_passwd, log_facility_number, debug, verbose, logit, error, ssh_userauth2 |