Full Report
A newly discovered Linux backdoor, dubbed Plague, was embedded as a malicious PAM (Pluggable Authentication Module) component. Designed to silently bypass system authentication, Plague grants attackers persistent SSH access while evading all known antivirus detection and leavi...
Analysis Summary
# Tool/Technique: Plague PAM-Based Backdoor
## Overview
Plague is a newly discovered, highly evasive Linux backdoor implanted as a malicious PAM (Pluggable Authentication Module). Its primary purpose is to grant attackers persistent, stealthy SSH access by silently bypassing system authentication mechanisms.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Linux
- Capabilities: Bypasses PAM authentication, grants persistent SSH access, employs advanced obfuscation, evades AV, and cleans up forensic evidence.
- First Seen: Samples dating back to mid-2024; Publicly reported in August 2025.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1110 - Brute Force
- T1110.003 - Password Guessing
- **TA0003 - Persistence**
- T1548.002 - Bypass User Account Control (Implied by modifying core authentication components)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection (Implied by deep library integration)
- T1622 - Indicator Removal on Host
## Functionality
### Core Capabilities
* **Authentication Bypass:** Embedded as a malicious PAM component to intercept and subvert the standard Linux authentication process.
* **Persistent Access:** Establishes reliable, persistent access via SSH credentials known only to the attacker (controlled via hardcoded static passwords).
* **Stealth Initialization:** Impersonates legitimate shared libraries (e.g., `libselinux.so.8`) to ensure it is loaded correctly during the login sequence.
### Advanced Features
* **Anti-AV Evasion:** Evades all known antivirus detection mechanisms.
* **Defense Against Analysis:** Implements antidebug checks to prevent execution within monitored environments (sandboxes or analysis VMs).
* **Forensic Cleanup:** Clears SSH-related environment variables and shell history files to minimize forensic traces after use.
* **String/Memory Protection:** Leverages multiple layers of obfuscation, including XOR encryption, custom KSA/PRGA-like routines, and DRBG (Deterministic Random Bit Generator) to protect internal data, strings, and memory offsets.
* **Conditional Activation:** Checks runtime conditions before activating to ensure maximum stealth when analyzed dynamically.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: Malicious PAM component impersonating legitimate libraries (e.g., `libselinux.so.8`).
- Registry Keys: [Not applicable to Linux PAM structure]
- Network Indicators: [Not specified in the context, though SSH access is granted]
- Behavioral Indicators: Modification of PAM configuration files, unexpected loading of shared libraries during authentication events, and clearing of system shell history files.
## Associated Threat Actors
- None specified (Reported as a "Newly discovered" backdoor).
## Detection Methods
- Signature-based detection: Currently limited as the malware evades *known* AV. Custom signatures based on internal cryptographic routines may be needed.
- Behavioral detection: Monitoring for unexpected loading order of PAM modules, unusual system calls related to authentication during SSH attempts, and post-interaction cleanup of shell history.
- YARA rules: Rules targeting the custom XOR and DRBG obfuscation routines would be effective.
## Mitigation Strategies
* Regularly audit and verify the integrity of critical shared object files in `/lib` and `/usr/lib`, especially those associated with authentication libraries.
* Strictly control PAM configuration files (`/etc/pam.d/`).
* Implement mandatory access controls (e.g., SELinux or AppArmor) to restrict library loading paths.
* Use robust SSH key-based authentication rather than relying solely on passwords, though Plague appears to use hardcoded passwords for its own access.
## Related Tools/Techniques
* Malicious PAM modules (General technique).
* Backdoors using legitimate library impersonation (e.g., rootkits leveraging shared library hijacking).
* Linux malware utilizing sophisticated runtime obfuscation techniques.