Plague: A Newly Discovered Pam-Based Backdoor for Linux
9 months ago
- #Backdoor
- #Linux
- #Cybersecurity
- A stealthy Linux backdoor named 'Plague' has been identified, operating as a malicious PAM module to bypass authentication and gain persistent SSH access.
- Despite multiple variants uploaded to VirusTotal, no antivirus engines flag them as malicious, indicating effective evasion techniques.
- Plague integrates deeply into the authentication stack, survives system updates, and leaves minimal forensic traces, making detection difficult.
- The backdoor employs advanced obfuscation techniques, including XOR-based encryption, KSA/PRGA routines, and a DRBG layer, complicating analysis.
- Features include antidebug mechanisms, string obfuscation, static passwords for covert access, and hidden session artifacts to erase traces.
- Multiple samples compiled over time suggest active development and adaptation by threat actors, with unclear attribution.
- A reference to the movie 'Hackers' was found in the malware, visible only after deobfuscation.
- Hardcoded passwords like 'Mvi4Odm6tld7', 'IpV57KNK32Ih', and 'changeme' have been extracted from samples.
- A YARA rule has been developed to detect Plague backdoor ELF binaries targeting PAM authentication.
- A custom deobfuscation tool using Unicorn within IDA Pro was created to safely emulate and decrypt strings from samples.