News
Dutch police have traced a cryptocurrency theft to one of the world’s worst botnets
After years of hacking servers to swindle millions of dollars, the infamous Ebury malware gang slipped into the shadows in 2021. Suddenly, she reemerged with a bang.
The new evidence emerged during a police investigation in the Netherlands. A cryptocurrency the theft had been reported to the Dutch National High-Tech Crime Unit (NHTCU). On the victim’s server, the cyber cops found a familiar enemy: Ebury.
The discovery revealed a new target for the botnet. Ebury had diversified into stealing Bitcoin wallets and credit card details.
The NHTCU has requested assistance from ESETa Slovakian IT security business. The request reopened a case that Marc-Etienne Léveillé had been investigating for over a decade.
TNW Conference, June 20-21 – 50% Final Flash Sale.
For a limited time only: don’t miss our final 50% discount until Thursday to join our heart of technology.
In 2014, the ESET researcher was a co-author a white sheet on the botnet’s operations. He called Ebury the “most sophisticated Linux backdoor his team has ever seen.”
Cybercriminals use Ebury as a powerful backdoor and credential stealer. After entering a server, the botnet can also distribute additional malware, redirect web visitors to fraudulent ads, and run proxy traffic to send spam. According to US officials, the operation fraudulently generated millions of dollars in revenue.
“It’s very well made and they’ve managed to stay under the radar for so many years,” Léveillé tells TNW.
A year after ESET’s original article was published, an alleged Ebury operator was arrested in Finland. His name was Maxim Senakh. Finnish authorities then extradited the Russian citizen to the United States.
The 41-year-old eventually pleaded guilty to a reduced set of computer fraud charges. In 2017 he was sentenced to almost four years in prison.
In a Press release, the US Department of Justice said Ebury infected “tens of thousands” of servers around the world. Yet that was only a fraction of the total.
Hello ESET honeypots
As Senakh’s trial progressed, ESET researchers used honeypots to track Ebury’s next moves. They found that the botnet was still growing and receiving updates. But their detective work didn’t stay hidden for long.
“It became increasingly difficult to make honeypots undetectable,” explains Léveillé. “They had many techniques to see them.”
A honeypot reacted strangely when Ebury was installed. The botnet operators then abandoned the server. They also sent a message to their opponents: “Hello ESET honeypot!”
Ebury offenders located a honeypot. Credit: ESET
Once the case cooled, another one was developed in the Netherlands.
By the end of 2021, the NHTCU had created another advantage for ESET. Working together, the cybercrime unit and the cybersecurity firm investigated Ebury’s development.
“The botnet had grown,” says Léveillé. “There were new victims and even bigger accidents.”
ESET currently estimates that Ebury has compromised around 400,000 servers since 2009. In a single incident last year, 70,000 of a hosting provider’s servers were infected with the malware. At the end of 2023, over 100,000 servers at one hosting provider were still compromised.
Some of these servers have been used for credit card and cryptocurrency theft.
The botnet comes for Bitcoin
To steal the cryptocurrency, Ebury took sides opponent-in-the-middle attack (AitM), a sophisticated phishing technique used to access login credentials and session information.
Applying AitM, the botnet intercepted network traffic from interesting targets within data centers. The traffic was then redirected to a server that captured the credentials.
The hackers also exploited servers that Ebury had previously infected. When these servers are in the same network segment as the new target, they provide a platform for spoofing.
Among the profitable targets were Bitcoin and Ethereum nodes. Once the victim entered the password, Ebury automatically stole the cryptocurrency wallets hosted on the server.
AitM attacks provided a powerful new method to quickly monetize the botnet.
“Cryptocurrency theft was not something we had ever seen done before,” says Léveillé.
The Dutch investigation continues
The variety of Ebury victims also grew. They now span universities, small businesses, large enterprises and cryptocurrency traders. They also include Internet Service Providers, Tor exit nodes, shared hosting providers, and dedicated server providers.
To hide their crimes, Ebury operators often use stolen identities to rent server infrastructure and conduct their attacks. These techniques lead investigators in the wrong direction.
“They’re really good at confusing attribution,” Léveillé says.
The NHTCU found further evidence of obfuscation. In a new ESET white paperDutch criminals highlighted several anonymization techniques.
Ebury’s fingerprints often turned out to be false, the NTCU said. The tracks often led to (seemingly) innocent people.
The operators also used nicknames and credentials of known cybercriminals to throw investigators off the trail. On a seized backup server, the NHTCU found a complete copy of an illicit website with logins collected by other scammers.
“So the Ebury group not only benefits from the theft of already stolen login credentials, but is also able to use the credentials of the cybercriminals who steal them,” Dutch police said.
“As a result, they can create a ‘cybercriminal cover’ that points in different directions from them.”
Despite these red herrings, the NHTCU says “several promising digital identities” are being actively pursued. Léveille, meanwhile, takes another break from his 10-year investigation.
“It’s not closed, but I’m not sure there are people behind it,” he says. “This is still an unknown, at least for me.”