Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New Linux backdoor Plague bypasses auth via malicious PAM module

A stealthy Linux backdoor named Plague, hidden as a malicious PAM module, allows attackers to bypass auth and maintain persistent SSH access. Nextron Systems researchers discovered a new stealthy Linux backdoor called Plague, hidden as a malicious PAM (Pluggable Authentication Module) module. It silently bypasses authentication and grants persistent SSH access. A Pluggable Authentication Module […]

Plague backdoor

A stealthy Linux backdoor named Plague, hidden as a malicious PAM module, allows attackers to bypass auth and maintain persistent SSH access.

Nextron Systems researchers discovered a new stealthy Linux backdoor called Plague, hidden as a malicious PAM (Pluggable Authentication Module) module. It silently bypasses authentication and grants persistent SSH access.

A Pluggable Authentication Module (PAM) is a flexible system used in Unix-like operating systems (like Linux) to manage authentication tasks. In simple terms, PAM allows system administrators to plug in different authentication methods (like passwords, fingerprints, or smart cards) without changing programs like login, sudo, or sshd.

The experts state that, although several variants of this backdoor have been uploaded to VirusTotal over the past year, they were consistently flagged as non-malicious.

Plague backdoor

The Plague backdoor includes advanced features such as antidebugging to prevent analysis, string obfuscation to hide sensitive data, a static password for covert access, and the ability to erase session artifacts to avoid detection, making it a stealthy and persistent threat.

The Plague backdoor uses increasingly complex string obfuscation to avoid detection. Early versions relied on simple XOR encryption, but later samples implemented custom KSA/PRGA-like routines, and the latest adds a DRBG (deterministic random bit generator) layer. These changes aim to block both automated and manual analysis by hiding strings and their memory offsets. To counter this, researchers built a custom IDA Pro plugin using Unicorn to emulate and extract strings.

“These changes reflect the threat actor’s ongoing efforts to evade both automated and manual analysis. The obfuscation not only hides sensitive strings but also their memory offsets, making static analysis unreliable.” continues the report.

Plague also includes antidebug features,like checking for ld.so.preload or renaming itself, and sanitizes its SSH session traces by unsetting key environment variables and redirecting shell history to /dev/null, ensuring stealth and persistence.

The Plague backdoor is a stealthy, evolving Linux threat that abuses authentication systems, obfuscation, and tampering to avoid detection.

Attribution of the Plague backdoor is still unknown, but an early sample named “hijack” may offer clues. After deobfuscation, it reveals a hidden reference to the movie Hackers with the line: “Uh. Mr. The Plague, sir? I think we have a hacker,” shown after pam_authenticate as a message of the day.

“The Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence. Its use of advanced obfuscation, static credentials, and environment tampering makes it particularly difficult to detect using conventional methods.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Plague backdoor)