A stealthy Linux backdoor named Plague, hidden as a malicious PAM module, allows attackers to bypass auth and maintain persistent SSH access.
Nextron Systems researchers discovered a new stealthy Linux backdoor called Plague, hidden as a malicious PAM (Pluggable Authentication Module) module. It silently bypasses authentication and grants persistent SSH access.
A Pluggable Authentication Module (PAM) is a flexible system used in Unix-like operating systems (like Linux) to manage authentication tasks. In simple terms, PAM allows system administrators to plug in different authentication methods (like passwords, fingerprints, or smart cards) without changing programs like login, sudo, or sshd.
The experts state that, although several variants of this backdoor have been uploaded to VirusTotal over the past year, they were consistently flagged as non-malicious.
The Plague backdoor includes advanced features such as antidebugging to prevent analysis, string obfuscation to hide sensitive data, a static password for covert access, and the ability to erase session artifacts to avoid detection, making it a stealthy and persistent threat.
The Plague backdoor uses increasingly complex string obfuscation to avoid detection. Early versions relied on simple XOR encryption, but later samples implemented custom KSA/PRGA-like routines, and the latest adds a DRBG (deterministic random bit generator) layer. These changes aim to block both automated and manual analysis by hiding strings and their memory offsets. To counter this, researchers built a custom IDA Pro plugin using Unicorn to emulate and extract strings.
“These changes reflect the threat actor’s ongoing efforts to evade both automated and manual analysis. The obfuscation not only hides sensitive strings but also their memory offsets, making static analysis unreliable.” continues the report.
Plague also includes antidebug features,like checking for ld.so.preload or renaming itself, and sanitizes its SSH session traces by unsetting key environment variables and redirecting shell history to /dev/null, ensuring stealth and persistence.
The Plague backdoor is a stealthy, evolving Linux threat that abuses authentication systems, obfuscation, and tampering to avoid detection.
Attribution of the Plague backdoor is still unknown, but an early sample named “hijack” may offer clues. After deobfuscation, it reveals a hidden reference to the movie Hackers with the line: “Uh. Mr. The Plague, sir? I think we have a hacker,” shown after pam_authenticate as a message of the day.
“The Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence. Its use of advanced obfuscation, static credentials, and environment tampering makes it particularly difficult to detect using conventional methods.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Plague backdoor)