Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Backdoor Attacks From Windigo Operation Still Active

Windigo, a malicious operation uncovered over three years ago, continues to be active despite a takedown attempt in 2014 and the sentencing of one conspirator in August 2017.

Windigo, a malicious operation uncovered over three years ago, continues to be active despite a takedown attempt in 2014 and the sentencing of one conspirator in August 2017.

At the core of Windigo was Linux/Ebury, an OpenSSH backdoor and credential stealer that was estimated to have infected over 25,000 servers worldwide during a two and a half year period prior to the botnet’s discovery. The systems were being abused to steal credentials, redirect web traffic to malicious sites, and send in excess of 30 million spam messages a day.

The operation was uncovered by ESET researchers who worked together with CERT-Bund, the Swedish National Infrastructure for Computing, and other agencies to take it down. In 2015, Finnish authorities apprehended Maxim Senakh, one of the conspirators behind the operation. He was extradited to the United States last year and sentenced to 46 months in federal prison in August this year.

While security researchers did notice a significant drop in the Windigo activity related to the web traffic redirection following Senakh’s arrest, the malicious operation was not put to rest completely, and the Ebury backdoor has evolved, ESET warns.

A new version of the malware that was discovered in February this year shows that its authors focused on evasion and on improving botnet’s resilience against takeover attempts. Furthermore, the malware now packs a new mechanism to hide the malicious files on the filesystem, the researchers discovered.

The malware continues to use a domain generation algorithm (DGA) for data exfiltration if the operator hasn’t connected to the infected system via the OpenSSH backdoor for three days, but changes were made to the DGA itself, ESET reveals.

Ebury now includes self-hiding techniques the researchers refer to as a “userland rootkit.” For that, the malware hooks the readdir or readdir64 function to list directory entries. Should the Ebury shared library file be the next directory structure to return, the hook skips it and returns the subsequent entry instead.

To activate the hooks, Ebury injects its dynamic library into every descendant process of sshd. Thus, Ebury’s dynamic library is loaded when the new process is executed, and the malware’s constructor is called, executing the hooking routines.

In addition to being Linux-distribution-specific, earlier versions of the backdoor used to work only on very specific versions of OpenSSH, but the newer version replaced the OpenSSH patching routines with function hooking. Thus, the researchers were able to execute the malware on multiple Linux distributions.

The threat also features a hardened backdoor mechanism that no longer relies on a password encoded in the SSH client version string. Now, the backdoor’s activation requires a private key to authenticate, an extra check supposedly added to prevent unauthorized use of Ebury-compromised servers.

The new version of Ebury features new installation methods, the security researchers discovered. Just as previous versions, the malware adds the payload inside the libkeyutils.so library, but does it differently than before, and also has different deployment scripts and techniques based on the Linux distribution running on the targeted system.

“Ebury now uses self-hiding techniques and new ways to inject into OpenSSH related processes. Furthermore, it uses a new domain generation algorithm (DGA) to find which domain TXT record to fetch. The exfiltration server IP address is concealed in these data, signed with the attackers’ private key. An expiration date was added to the signed data to defend against signature reuse, thus mitigating potential sinkhole attempts. Windigo’s operators regularly monitor publicly shared IoCs and quickly adapt to fool available indicators,” ESET concludes.

Related: Researchers Uncover Attack Campaign Leveraging 25,000 Unix Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Cybercrime

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.