Researchers discovered Plague, a novel Linux backdoor that masquerades as a PAM library (e.g., libselinux.so.8) to provide persistent, stealthy SSH access and authentication bypass. The implant uses layered string obfuscation, antidebug/environment checks, and session artifact removal to evade detection and persist across updates. #Plague #libselinux.so.8
Keypoints
- Plague functions as a malicious PAM module (commonly named libselinux.so.8) to subvert authentication and enable covert SSH access.
- Static backdoor passwords such as “Mvi4Odm6tld7”, “changeme”, and “IpV57KNK32Ih” enable unauthorized entry and include a “bkr=1” flag for safe environment verification.
- String obfuscation evolved across variants from simple XOR to custom KSA/PRGA and DRBG layers, complicating reverse engineering.
- Antidebug checks validate exact filenames and environment variables (e.g., absence of ld.so.preload) to avoid sandbox/analysis environments.
- Operational stealth includes unsetting SSH_CONNECTION and SSH_CLIENT, redirecting HISTFILE to /dev/null, and erasing session artifacts to remove forensic traces.
- Seven analyzed samples showed varied compilation environments (Debian/Ubuntu GCC versions) and remained undetected by antivirus engines.
- Samples are available in PolySwarm’s repository and can be searched via the provided CLI command.
MITRE Techniques
- [T1543] Create or Modify System Process – Plague installs as a PAM library (libselinux.so.8) to integrate into the authentication stack and provide persistent access; “…operates as a malicious PAM module to subvert authentication processes.”
- [T1098] Account Manipulation (Credential Access) – Uses hardcoded static passwords and flags to bypass authentication, e.g., “Mvi4Odm6tld7”, “changeme”, “IpV57KNK32Ih”, and “bkr=1” for entry and environment verification.
- [T1027] Obfuscated Files or Information – Employs layered obfuscation (XOR → KSA/PRGA → DRBG) to hide strings and memory offsets, described as “evolving obfuscation techniques… complicate reverse engineering.”
- [T1218] Signed Binary Proxy Execution (or Living-off-the-Land) – Masquerades as a legitimate system library name (libselinux.so.8) to blend with trusted binaries and evade detection: “posing as legitimate libraries such as libselinux.so.8.”
- [T1562] Impair Defenses (Indicator Removal) – Unsets SSH-related environment variables and redirects HISTFILE to /dev/null to remove traces: “unsets variables such as SSH_CONNECTION and SSH_CLIENT… redirects HISTFILE to /dev/null.”
- [T1629] Container Administration Command – Antidebug/environment checks (filename and ld.so.preload absence) to detect analysis/sandbox environments and halt execution: “antidebug checks verify filenames and environment variables… halting execution in analysis environments.”
Indicators of Compromise
- [File Hash ] Plague sample hashes – 85c66835657e3ee6a478a2e0b1fd3d87119bebadc43a16814c30eb94c53766bb, 7c3ada3f63a32f4727c62067d13e40bcb9aa9cbec8fb7e99a319931fc5a9332e and 6 more hashes.
- [File Name ] Reported sample name – “hijack” (submission origin noted as China for that sample).
- [Library Name ] Malicious library masquerade – libselinux.so.8 used to integrate into PAM/authentication stack.
- [CLI Artifact ] Search command for samples – polyswarm link list -f Plague (used to locate samples in PolySwarm repository).