Full Report
Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called "darkworm." The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination.
Analysis Summary
# Tool/Technique: PamDOORa
## Overview
PamDOORa is a Linux-based post-exploitation backdoor designed as a Pluggable Authentication Module (PAM). Its primary purpose is to provide threat actors with persistent remote access to compromised systems by intercepting the authentication process. It specifically targets SSH services, allowing attackers to bypass standard security controls using a "magic password" and a non-standard port trigger.
## Technical Details
- **Type:** Malware family (Backdoor / Rootkit)
- **Platform:** Linux
- **Capabilities:** Authentication bypass, persistent remote access, SSH session hijacking.
- **First Seen:** Disclosed/Advertised circa July 2024.
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1543.002 - Create or Modify System Process: Systemd Service
- T1556.003 - Modify Authentication Process: Pluggable Authentication Modules
- **TA0004 - Privilege Escalation**
- T1548.001 - Abuse Privilege Escalation Mechanism: Setuid and Setgid
- **TA0005 - Defense Evasion**
- T1556.003 - Modify Authentication Process: Pluggable Authentication Modules
- **TA0006 - Credential Access**
- T1556 - Modify Authentication Process (Credential Interception)
## Functionality
### Core Capabilities
- **PAM Integration:** Integrates into the Linux PAM ecosystem to intercept login attempts.
- **Magic Password Bypass:** Allows entry into the system regardless of the actual user's password, provided the attacker-defined "magic password" is used.
- **Port Triggering:** Often requires a specific TCP port combination or sequence to activate the backdoor functionality, reducing the likelihood of accidental discovery by legitimate users.
### Advanced Features
- **Stealth Preservation:** By operating as a PAM module, the tool lives within a legitimate system architecture, making it harder to detect than standalone malicious binaries.
- **Post-Exploitation Persistence:** Designed to survive system updates (unless the specific PAM config is overwritten) and reboots.
## Indicators of Compromise
- **File Hashes:** *(Note: Specific hashes for the latest variant were not provided in the snippet, but would typically include SHA256 of the .so module)*
- **File Names:** `pam_unix.so` (frequently spoofed), or unique names found in `/lib/security/` or `/lib64/security/`.
- **Network Indicators:** Monitoring for unusual SSH login attempts on non-standard ports or specific port-knocking sequences.
- **Behavioral Indicators:**
- Modification of files in `/etc/pam.d/` (specifically `sshd` or `common-auth`).
- Unexpected shared objects loaded by the `sshd` process.
## Associated Threat Actors
- **darkworm** (Vendor/Developer on the Rehub Russian cybercrime forum).
## Detection Methods
- **Signature-based detection:** Scanning `/lib/security/` for unsigned or unauthorized shared object (.so) files.
- **Behavioral detection:** Monitoring for unauthorized modifications to the PAM configuration files in `/etc/pam.d/`.
- **Integrity Checking:** Using tools like `rpm -V` or `debsums` to verify the integrity of the PAM library packages.
## Mitigation Strategies
- **File Integrity Monitoring (FIM):** Implement FIM on `/etc/pam.d/` and `/lib/security/` to alert on any changes.
- **Hardening:** Disable password-based SSH authentication in favor of SSH keys (though PAM modules can still sometimes intercept key-based flows, it reduces the surface area).
- **Audit Logging:** Enable `auditd` to monitor syscalls related to the modification of authentication modules.
## Related Tools/Techniques
- **Dual-homed PAM backdoors:** Previous variants of PAM-based rootkits used to log credentials.
- **Umbreon Rootkit:** Known for using PAM hooks for persistence.
- **Azazel:** A user-land rootkit that interacts with the dynamic linker and PAM.