EXECUTIVE SUMMARY
A newly identified Linux backdoor, known as Plague, presents a significant security threat to enterprise systems. This malware operates within the core authentication framework of Linux, specifically exploiting Pluggable Authentication Modules (PAM). Its main method of attack involves inserting a malicious shared object into the authentication path, allowing persistent, covert access to systems via SSH. The threat actor achieves this without triggering any security alerts, posing a major risk to organizations that rely on standard endpoint detection and antivirus solutions. Affected environments include Debian, Ubuntu, and Red Hat systems, as demonstrated by compilation artifacts. The malware's stealth capabilities enable it to remain undetected while collecting user credentials and maintaining long-term access. This type of infiltration threatens the integrity of authentication systems, compromises sensitive user data, and allows ongoing unauthorized access, creating high risks of espionage, sabotage, or further compromise across enterprise networks. Given the malware's ability to hide in plain sight and integrate with critical system processes, the potential business impact is significant, especially for sectors with high security requirements or sensitive operational environments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A newly identified Linux backdoor, known as Plague, presents a significant security threat to enterprise systems. This malware operates within the core authentication framework of Linux, specifically exploiting Pluggable Authentication Modules (PAM). Its main method of attack involves inserting a malicious shared object into the authentication path, allowing persistent, covert access to systems via SSH. The threat actor achieves this without triggering any security alerts, posing a major risk to organizations that rely on standard endpoint detection and antivirus solutions. Affected environments include Debian, Ubuntu, and Red Hat systems, as demonstrated by compilation artifacts. The malware's stealth capabilities enable it to remain undetected while collecting user credentials and maintaining long-term access. This type of infiltration threatens the integrity of authentication systems, compromises sensitive user data, and allows ongoing unauthorized access, creating high risks of espionage, sabotage, or further compromise across enterprise networks. Given the malware's ability to hide in plain sight and integrate with critical system processes, the potential business impact is significant, especially for sectors with high security requirements or sensitive operational environments.[emaillocker id="1283"]
Plague functions as a stealth backdoor by masquerading as a legitimate PAM module, specifically hooking into the pam_sm_authenticate() function responsible for handling user login credentials. Its persistence relies on the dynamic configuration of the PAM stack, where shared libraries are loaded based on settings within /etc/pam.d/. By placing itself within this critical path, the malware not only intercepts authentication attempts but also enables access through hardcoded static passwords. The malware performs deep string obfuscation using multiple encryption layers, evolving from XOR encoding to a custom RC4-like approach utilizing a Key Scheduling Algorithm (KSA) and Pseudo-Random Generation Algorithm (PRGA). Further enhancements include the use of Deterministic Random Bit Generator (DRBG) layers, indicating ongoing development aimed at evading static analysis. Plague also incorporates advanced antidebugging checks that verify execution conditions, such as confirming its filename (libselinux.so.8) and detecting the presence of environment variables like ld.so.preload. These techniques enable the malware to avoid execution in sandbox environments and evade automated analysis. To conceal attacker activity, the malware clears environment variables associated with SSH connections and redirects shell history to /dev/null, ensuring no evidence is left in terminal logs. These features showcase the attacker’s knowledge of forensic methods and system internals, allowing Plague to maintain operational secrecy over time.
Plague introduces a highly advanced method of persistence and stealth on Linux systems by targeting the PAM infrastructure, rather than relying on traditional malware installation paths. Its complete lack of detection across major antivirus engines highlights severe gaps in current endpoint defenses, especially those relying on signature-based detection. The malware’s technical design, including dynamic string encryption, antidebug mechanisms, and removal of forensic artifacts, reflects a high level of sophistication and operational security awareness by the threat actor. The geographic spread of samples and cultural references embedded within the code point to potential distribution on a global scale, although attribution remains uncertain. The integration of hardcoded backdoor access into a foundational Linux subsystem allows attackers to bypass security patches and software updates, securing long-term access without disrupting system functionality. This attack represents a strategic evolution in Linux-targeted threats, shifting focus from superficial exploitation to the manipulation of core authentication mechanisms. Plague’s emergence underscores the need to rethink monitoring strategies for authentication systems and highlights the critical importance of detecting unauthorized changes to PAM components. Its ability to function undetected in critical enterprise environments positions it as a notable development in the landscape of Linux-based threats.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Persistence | T1078.004 | Valid Accounts | Cloud Accounts |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| T1620 | Reflective Code Loading | - | |
| T1070.003 | Indicator Removal on Host | Clear Command History | |
| T1070.004 | Indicator Removal on Host | File Deletion | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1083 | File and Directory Discovery | - |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Defense Evasion | B0009 | String Encryption |
| B0022 | Anti-Disassembly | |
| B0023 | Environmental Awareness | |
| Persistence | B0013 | Component Object Model Hijacking |
| B0032 | Authentication Hook | |
| Credential Access | B0037 | Credential API Hooking |
| Anti-Forensics | B0051 | Clear Logs |
| B0052 | Disable Logging | |
| Execution | B0024 | Shared Library Load |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/plague-malware-attacking-linux-servers/
[/emaillocker]