Cybersecurity researchers have flagged a plague called the previously undocumented Linux backdoor, which has managed to avoid detection for a year.
“The implant is built as a malicious PAM (pluggable authentication module) that allows attackers to quietly bypass system authentication and gain permanent SSH access,” said Pierre-Henri Pezier, a researcher at Nextron Systems.
A pluggable authentication module refers to a suite of shared libraries used to manage user authentication to applications and services on Linux and UNIX-based systems.
Given that the PAM module is loaded into the privileged authentication process, an incorrect PAM allows for user credential theft, bypasses authentication checks, and leaves them unaware by security tools.
The cybersecurity company said it had discovered multiple plague artifacts uploaded to Bilstotal since July 29, 2024, and none of them were detected as malicious. Furthermore, the presence of some samples indicates the active development of malware by unknown threat actors behind it.
The plague boasts four distinct features: Reverse engineering using static credentials, resistance analysis, and string obfuscation to allow for cover access. We’ve increased stealth by erasing evidence from SSH sessions.
This is achieved by using ssh_connection or ssh_client to fix environment variables such as ssh_connection or ssh_client and redirecting histfile to /dev /null to prevent logging of shell commands.
“Plague is deeply integrated into the authentication stack, withstands system updates and leaves little forensic traces,” Pezier said. “Combined with layered obfuscation and environmental tampering, this makes it extremely difficult to detect using traditional tools.”
Source link
