Today's cybersecurity headlines are brought to you by ThreatPerspective
| Follow @EthHackingNews |
| Follow @EthHackingNews |
A new Linux backdoor known as "Plague" has been discovered, exploiting authentication mechanisms to maintain stealth and persistence. With advanced obfuscation capabilities and antidebug features, Plague poses a significant threat to Linux infrastructure. Follow our coverage of this developing story for the latest updates.
The cybersecurity landscape has been rocked by the discovery of a new, highly sophisticated Linux backdoor known as "Plague". This malicious software (Malware) is hidden within a malicious PAM (Pluggable Authentication Module) module, allowing it to bypass authentication mechanisms and maintain persistent access to compromised systems. According to researchers at Nextron Systems, Plague has been uploaded to VirusTotal over the past year, with each iteration consistently being flagged as non-malicious.
The Plague backdoor boasts advanced features designed to evade detection by both automated and manual analysis. Its string obfuscation capabilities have evolved over time, from simple XOR encryption in early versions to more complex custom KSA/PRGA-like routines in later samples, and finally incorporating a DRBG (deterministic random bit generator) layer. This sophisticated layer not only hides sensitive strings but also their memory offsets, rendering static analysis unreliable.
To counter this evolving threat, researchers at Nextron Systems have developed a custom IDA Pro plugin using Unicorn to emulate and extract strings from Plague's codebase. By analyzing the backdoor's behavior, they aim to provide insights into its operation and improve detection methods for future variants.
Plague also includes antidebug features, such as checking for ld.so.preload or renaming itself, and sanitizing its SSH session traces by unsetting key environment variables and redirecting shell history to /dev/null. These tactics further ensure stealth and persistence, making it a formidable threat to Linux infrastructure.
Attribution of the Plague backdoor remains unclear, but an early sample named "hijack" may offer clues. Interestingly, after deobfuscation, this sample reveals a hidden reference to the movie Hackers with the line: “Uh. Mr. The Plague, sir? I think we have a hacker,” shown as a message of the day.
The discovery of Plague highlights the ongoing cat-and-mouse game between threat actors and security researchers. As malicious software continues to evolve at an unprecedented rate, it is essential for cybersecurity professionals to stay vigilant and adapt their detection methods accordingly.
| Follow @EthHackingNews |