Plague in Your PAM – Silent, Stealthy, Persistent

Created on August 05, 2025

2025

Recently, Nextron Systems uncovered a stealthy Linux backdoor dubbed Plague – and it’s not your everyday malware. Instead of hiding in /tmp or /var/tmp, Plague takes a prime seat inside PAM (Pluggable Authentication Modules), allowing attackers to silently bypass authentication and maintain long-term SSH access without raising a single alert.

If PAM is the doorman to your system, Plague is the fake ID printer and the bouncer on the take.

1. Deep Hooking in PAM

Plague disguises itself as a legitimate PAM library (e.g., libselinux.so.8). Since PAM is invoked during every login, this grants attackers:

  • Seamless SSH Access – via a static hardcoded password.
  • Persistence – survives OS updates by replacing core authentication libraries.
  • Zero Detections – multiple VirusTotal submissions returned 0/66 detections over months.

2. Triple-Layer Obfuscation

The malware uses a three-stage obfuscation strategy to frustrate reverse engineering:

  1. XOR Encryption – hides plaintext strings.
  2. Custom KSA/PRGA Routine – a modified RC4-like algorithm for offsets.
  3. DRBG Layer – deterministic random bit generator adds unpredictable output.

Due to the complexity and evolution of the scheme, analysts developed a custom Unicorn-based deobfuscator to emulate the malware in IDA Pro safely, extract decrypted strings, and annotate them in place.

3. Anti-Debug and Sandbox Evasion

Before execution, Plague runs several environment checks:

  • Confirms filename matches libselinux.so.8.
  • Ensures ld.so.preload is absent (common in sandboxes).
  • Detects potential debugger interference.

If any of these fail, Plague simply stops—avoiding capture in analysis environments.

4. Erasing All Footprints

Once inside, Plague removes traces of attacker sessions by:

  • Unsetting SSH_CONNECTION and SSH_CLIENT.
  • Redirecting HISTFILE to /dev/null to prevent command logging.
  • Sanitizing environment variables to remove session evidence.

The result: No SSH logs, no shell history, and minimal forensic artifacts.

5. Technical Capabilities Summary

Capability Purpose
Static password Backdoor SSH access without valid user creds
Multi-layer obfusc. Hides strings and offsets from static analysis
Anti-debugging Avoids execution in monitored environments
Session stealth Removes traces of attacker activity

6. Detection & Indicators

Extracted hardcoded passwords from various samples:

Mvi4Odm6tld7 IpV57KNK32Ih changeme

YARA Rule Example: ```yara rule MAL_LNX_PLAGUE_BACKDOOR_Jul25 { meta: description = “Detects Plague backdoor ELF binaries, related to PAM authentication alteration.” author = “Pezier Pierre-Henri” date = “2025-07-25” strings: $s1 = “decrypt_phrase” $s2 = “init_phrases” condition: uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them }

7. Why This Matters

Backdoors inside PAM are rare, stealthy, and dangerous: Persistence: survives OS reinstalls if libraries are restored from backups. Stealth: invisible to most host-based security tools. Adaptability: continuous development, multiple compiler versions seen.

If you run Linux in production, PAM should not be writable without explicit change control. File integrity monitoring (FIM) and proactive YARA-based hunting are critical here.

Bottom line: Plague shows that when attackers compromise the authentication layer, you can’t trust the locks on the door – because the locksmith works for them.