In what seems an especially smart, albeit malicious, solution, code that creates a highly persistent Linux backdoor without tripping any alarms has been spotted by researchers.
According to Pierre-Henri Pezier, a researcher at German information security services company Nextron Threat, antivirus engines haven’t flagged the code as malicious for months, and that’s worrying.
“The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access,” said Pezier.
The researcher explained that the malware “integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces.”
Combined with layered obfuscation and environment tampering, this makes the code exceptionally hard to detect using traditional tools.
Indeed, several variants of this particular backdoor have been uploaded to VirusTotal over the past year. VirusTotal is a system that scans files and URLs against a vast database of antivirus engines and threat intelligence feeds to help users quickly assess whether a file or link is malicious.
But not a single antivirus engine has flagged the backdoor as malicious. In fact, there are no public reports or detection rules available for this threat, suggesting that it has quietly evaded detection across multiple environments, said Pezier in a Nextron blog spot.
The cybersecurity company has named the malware “Plague.” That’s because its deobfuscated code contains the text “Uh. Mr. The Plague, sir? I think we have a hacker.” This is a line from the 1995 film, Hackers.
As mentioned above, Plague appears as a PAM and manages to avoid detection in various ways, including hiding session logs to evade scanning, implementing a custom string obfuscation system, and concealing itself from debuggers by using the legitimate libselinux.so.8 shared library file name. It also contains hardcoded passwords to allow the operator easy access.
More specifically, the malware actively sanitizes the runtime environment to eliminate evidence of an SSH session. Environment variables such as SSH_CONNECTION and SSH_CLIENT are unset using unsetenv, while HISTFILE is redirected to /dev/null to prevent shell command logging.
“This operation ensures that no audit trail or login metadata is retained, effectively erasing the attacker’s footprint from both interactive sessions and system history logs,” Pezier explained.
Plague could potentially be used to nab user account details and circumvent standard authentication verification.
PAMs are, of course, very important for authentication. These are essentially frameworks that enable you to plug in different authentication methods without changing the core application.
That’s why the existence of the backdoor is very concerning. Plague could potentially be used to nab user account details and circumvent standard authentication verification.
Stealth and power are a truly ugly combo in the world of malware. However, at least so far, Nextron has found no public reports of researchers spotting Plague in the wild.
Still, “the Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence,” said Pezier.
Your email address will not be published. Required fields are markedmarked