Full Report
A newly discovered Linux malware, which has evaded detection for over a year, allows attackers to gain persistent SSH access and bypass authentication on compromised systems. [...]
Analysis Summary
# Tool/Technique: Plague Linux Malware
## Overview
Plague is a newly discovered, sophisticated backdoor malware specifically targeting Linux systems. Its primary function is to establish stealthy, persistent SSH access by deeply integrating into the system's Pluggable Authentication Modules (PAM) stack. It is designed to evade detection by actively sanitizing its presence, including wiping login history and environmental traces.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Linux
- Capabilities: Establishes persistent SSH access, integrates with PAM, sanitizes forensic evidence, layered obfuscation, uses static credentials.
- First Seen: Multiple variants observed over the past year on VirusTotal, but actively developed over an extended period.
## MITRE ATT&CK Mapping
*Note: Direct mappings based on described behavior:*
- **TA0003 - Persistence**
- T1548.003 - Abuse Elevation Control Mechanism: Abuse of Pluggable Authentication Modules (PAM)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information: Layered Obfuscation
- T1070.004 - Indicator Removal: File Deletion/Modification (Wiping history/logs)
- **TA0002 - Execution**
- T1059.004 - Command and Scripting Interpreter: Unix Shell
## Functionality
### Core Capabilities
- Maintains stealthy, persistent access via SSH.
- Integrates deeply into the Linux PAM authentication stack to ensure persistence that survives system updates.
- Utilizes static credentials for backdoor access.
### Advanced Features
- **Runtime Environment Sanitization:** Actively removes evidence of its operation by unsetting crucial environment variables like `SSH_CONNECTION` and `SSH_CLIENT` (using `unsetenv`).
- **Shell History Tampering:** Redirects the history file (`HISTFILE`) to `/dev/null` to prevent shell command logging.
- **Evasion:** Leverages layered obfuscation and environment tampering, making it exceptionally difficult for traditional analysis tools to detect.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context - likely masked or generic process names]
- Registry Keys: [Not applicable to Linux/PAM installation, but relevant paths might include PAM configuration files]
- Network Indicators: [C2 servers, domains - defanged] (Not explicitly detailed in the provided context)
- Behavioral Indicators: Unsetting `SSH_CONNECTION`, unsetting `SSH_CLIENT`, redirecting `HISTFILE` to `/dev/null`.
## Associated Threat Actors
- Currently attributed to unknown actors, as variants have bypassed antivirus detection on VirusTotal for the past year.
## Detection Methods
- Signature-based detection: Currently ineffective, as variants have gone undetected by multiple antivirus engines.
- Behavioral detection: Focus on anomalous modifications to PAM configurations or unexpected environment variable manipulation during SSH sessions.
- YARA rules if available: [Not available in the context]
## Mitigation Strategies
- **PAM Monitoring:** Implement rigorous auditing and integrity monitoring of Pluggable Authentication Modules (PAM) configuration files and libraries.
- **Session Logging:** Ensure robust, centralized logging mechanisms that capture session metadata and command execution *before* potential tampering by user-space processes.
- **Environment Hardening:** Employ security configurations that minimize the ability of standard SSH processes or user sessions to modify core system environmental variables or critical file descriptors dynamically.
- **System Updates:** While Plague aims to survive updates, ensuring systems are patched reduces the window for initial exploitation used to deploy the malware.
## Related Tools/Techniques
- Other PAM-based backdoors (as referenced in associated Nextron Systems research).
- Other Linux malware utilizing stealthy persistence mechanisms on server infrastructure.