Threat Research

Plague: A Newly Discovered PAM-Based Backdoor for Linux – Nextron Systems

CTI
Plague: A Newly Discovered PAM-Based Backdoor for Linux – Nextron Systems

A stealthy Linux backdoor named Plague was discovered that modifies PAM authentication to enable persistent, covert SSH access while evading detection by antivirus tools. The malware employs advanced obfuscation, anti-debugging, and session-clearing techniques to maintain stealth and persistence. #Plague #PAMBackdoor

Keypoints

  • Plague is a malicious PAM module that bypasses system authentication to provide unauthorized persistent SSH access on Linux systems.
  • None of the Plague samples uploaded to VirusTotal have been detected by antivirus engines, highlighting its stealthiness.
  • The malware uses multi-layered string obfuscation techniques, evolving from XOR to complex KSA/PRGA routines and DRBG to avoid detection and analysis.
  • It includes anti-debugging protections such as verifying the filename and checking for ld.so.preload to evade sandboxing and debugging.
  • Plague sanitizes environment variables and shell history to erase traces of attacker activity and session artifacts.
  • Samples span over a long period and multiple environments, indicating ongoing development and active use by threat actors.
  • A custom Unicorn-based emulation tool was developed to safely decrypt obfuscated strings within IDA Pro for analysis.

MITRE Techniques

  • [T1551] Application Layer Protocol – Plague alters PAM authentication to intercept and manipulate authentication requests. (‘modifies PAM authentication to bypass system authentication’)
  • [T1078] Valid Accounts – Uses static hardcoded passwords (“Mvi4Odm6tld7”, “IpV57KNK32Ih”, “changeme”) for covert access without user authentication.
  • [T1620] Reflective Code Loading – Employs multi-layer string obfuscation and dynamic decryption using XOR, KSA/PRGA, and DRBG techniques to evade static detection. (’employs evolving string obfuscation techniques’)
  • [T1622] Debugging and Reverse Engineering Protections – Verifies binary filename and environment variables to detect and evade debuggers and sandboxes. (‘sample verifies that its actual filename is libselinux.so.8 and that ld.so.preload is not present’)
  • [T1070] Indicator Removal on Host – Removes session-related environment variables and redirects shell history to /dev/null to erase traces of attacker activity. (‘unset SSH_CONNECTION and SSH_CLIENT, redirects HISTFILE to /dev/null’)

Indicators of Compromise

  • [File Hash] Plague sample hashes – 85c66835657e3ee6a478a2e0b1fd3d87119bebadc43a16814c30eb94c53766bb, 7c3ada3f63a32f4727c62067d13e40bcb9aa9cbec8fb7e99a319931fc5a9332e, and 6 more hashes.
  • [File Name] Malicious binaries – libselinux.so.8, libse.so, hijack.
  • [Password] Hardcoded credentials used for access – Mvi4Odm6tld7, IpV57KNK32Ih, changeme.

Read more: https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint