Ethical Hacking News
Researchers have identified a previously undocumented Linux backdoor dubbed "Plague" that has managed to evade detection for over a year. This malicious PAM module bypasses system authentication and gains persistent SSH access, making it exceptionally hard to detect using traditional tools.
The Plague backdoor is a previously undocumented Linux backdoor that has evaded detection for over a year. The malicious PAM module bypasses system authentication and gains persistent SSH access, making it hard to detect using traditional tools. The Plague backdoor integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces. The discovery of the Plague backdoor highlights the need for security professionals to remain vigilant and proactive in the face of evolving threats.
The cybersecurity landscape has witnessed numerous breaches and exploits in recent times, with each new threat emerging like a hydra-like creature, adapting and evolving to evade detection. In this context, researchers have identified a previously undocumented Linux backdoor dubbed "Plague" that has managed to evade detection for over a year. This malicious PAM (Pluggable Authentication Module) has been designed to silently bypass system authentication and gain persistent SSH access.
According to Nextron Systems researcher Pierre-Henri Pezier, the implant is built as a malicious PAM module, enabling attackers to steal user credentials without triggering any alerts. "The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access," Pezier stated.
For those who may not be familiar with Pluggable Authentication Modules, they refer to a suite of shared libraries used to manage user authentication to applications and services in Linux and UNIX-based systems. Given that PAM modules are loaded into privileged authentication processes, a rogue PAM can enable theft of user credentials, bypass authentication checks, and remain undetected by security tools.
Researchers have uncovered multiple Plague artifacts uploaded to VirusTotal since July 29, 2024, with none of them detected by antimalware engines as malicious. Furthermore, the presence of several samples signals active development of the malware by the unknown threat actors behind it. This indicates that the attackers are continually improving and refining their approach, making detection increasingly difficult.
The Plague backdoor boasts four prominent features: static credentials to allow covert access; resistance to analysis and reverse engineering using anti-debugging and string obfuscation; enhanced stealth by erasing evidence of an SSH session; and environment tampering through the use of unsetenv and redirecting HISTFILE to /dev/null. This combination makes it exceptionally hard to detect using traditional tools.
"The Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces," Pezier noted. "Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools." This statement underscores the complexity of the threat posed by the Plague backdoor and highlights the need for security professionals to adopt a more nuanced approach to detecting and mitigating such threats.
The discovery of the Plague backdoor serves as a stark reminder of the ongoing cat-and-mouse game between cybersecurity researchers and malicious actors. While it may seem like an eternity since this threat was first identified, its continued evolution and refinement underscore the importance of staying vigilant in the pursuit of cybersecurity.
In conclusion, the discovery of the Plague PAM backdoor highlights the need for security professionals to remain vigilant and proactive in the face of evolving threats. By understanding the tactics, techniques, and procedures (TTPs) employed by malicious actors, we can better equip ourselves to detect and mitigate such threats, ultimately protecting our systems and users from harm.
Researchers have identified a previously undocumented Linux backdoor dubbed "Plague" that has managed to evade detection for over a year. This malicious PAM module bypasses system authentication and gains persistent SSH access, making it exceptionally hard to detect using traditional tools.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Plague-PAM-Backdoor-Exposes-Critical-Linux-Systems-to-Silent-Credential-Theft-ehn.shtml
https://thehackernews.com/2025/08/new-plague-pam-backdoor-exposes.html
Published: Sat Aug 2 10:31:55 2025 by llama3.2 3B Q4_K_M
