data breaches

Plague Backdoor Threatens Global Linux Infrastructure via PAM Exploit

Published

2 weeks ago

on

A newly discovered malicious PAM module named “Plague” stealthily hijacks SSH logins, bypasses Linux authentication, and evades antivirus—threatening enterprise servers worldwide with root-level backdoors.

It didn’t trip any alarms. It didn’t need exploits. It didn’t leave a trace.
For over a year, a sophisticated backdoor called Plague embedded itself inside Linux authentication systems—bypassing passwords, recording credentials, and offering attackers persistent root access to global servers. The discovery has triggered alarm across enterprise security teams and forensic experts.

How the Plague PAM Backdoor Works – Technical Breakdown

The Plague implant is not malware in the traditional sense. Instead, it abuses one of Linux’s most trusted mechanisms: Pluggable Authentication Modules (PAM). PAM is a critical interface used by services like sshd, sudo, su, passwd, and even graphical logins.

1. Initial Infiltration

Plague is typically deployed manually or via a root-level compromise. It masquerades as a legitimate library file—commonly using deceptive names like:

bash

/lib64/security/pam_pwdb.so
/lib/x86_64-linux-gnu/security/libselinux.so.8

This tricks admins or detection systems into overlooking it.

2. Hooking the Authentication Chain

Once installed, Plague integrates into the PAM stack for SSH or sudo authentication. PAM works through a configuration file, usually located at:

bash

/etc/pam.d/sshd

Attackers modify or inject entries such as:

bash

auth required /lib64/security/pam_pwdb.so

This line effectively inserts Plague into every SSH authentication request.

3. Bypassing Login Credentials

When a user attempts to log in, Plague inspects the username and password. If the input matches hardcoded backdoor credentials, the module returns PAM_SUCCESS—bypassing all real authentication and granting shell access.

Here’s what happens under the hood:

  • Compares entered password to embedded static hash or plaintext (example: “sEcRet!”).
  • If matched, exits early and returns success to the PAM stack.
  • User gains shell with no trace in system logs.

No brute-force, no exploits—just silent acceptance.

4. Credential Harvesting

If the user is legitimate, Plague still silently logs the real credentials and exfiltrates them:

  • Stores or sends plaintext passwords via encrypted or encoded channels (RC4-like PRGA or DRBG encryption observed).
  • Can be configured to drop logs to hidden locations or transmit via covert channels (e.g. DNS tunneling or ICMP).

5. Evading Detection

Plague features a range of stealth and anti-forensic techniques, including:

  • Environment variable cleanup: Removes SSH_CONNECTION, HISTFILE, HISTSIZE, and HISTFILESIZE so session activity doesn’t get logged.
  • String obfuscation: Early versions used XOR encoding. Later samples adopted a custom stream cipher, and the most recent uses a Deterministic Random Bit Generator (DRBG) with pseudo-random keying.
  • Anti-debugging and anti-tracing: It checks for strace, gdb, or signs of sandboxing.
  • Persistence: Survives reboots and system updates due to its deep PAM integration and deceptive naming.

Systemic Risk: Why This Is Alarming

PAM modules are core to Linux authentication. If compromised:

  • All access control collapses.
  • Audit logs become unreliable.
  • Antivirus (AV) signatures fail to detect the module—66 out of 66 vendors missed it on VirusTotal.

Worse: no exploits are needed. Attackers with one-time access (via phishing, unpatched software, or insider threats) can install Plague and vanish, yet return at will.

Recommendations for Defenders

  1. Audit /etc/pam.d/ and /lib*/security/ for suspicious modules.
  2. Cross-reference PAM module hashes with known good libraries (e.g. via sha256sum).
  3. Use YARA rules shared by Nextron Systems to identify known Plague variants:
    • Match static backdoor strings.
    • Identify obfuscated code patterns.
  4. Monitor for users logging in with strange times, IPs, or with missing SSH_CONNECTION history.
  5. Consider implementing Mandatory Access Control (MAC) systems like AppArmor or SELinux with strict module policies.

Quotes from Researchers

“This is not just malware—it’s surgical compromise at the core of Linux authentication. It’s elegant, terrifying, and hard to catch.”
Pierre-Henri Pezier, Senior Malware Analyst at Nextron Systems.

“If PAM is compromised, you no longer own your server,” said one Red Team engineer under anonymity. “You just host it for someone else.”

Global and Strategic Implications

As more Linux systems power cloud backends, financial APIs, national security, and research environments, backdoors like Plague pose:

  • Nation-state espionage risks
  • Supply-chain infiltration scenarios
  • Loss of credential integrity for SSO and federated identity systems

Organizations across sectors must now consider PAM modules as active threat vectors—not passive components.

Related Topics:

Trending

Exit mobile version