Cybersecurity researchers have flagged a previously undocumented Linux backdoor dubbed Plague that has managed to evade detection for a year.
"The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access," Nextron Systems researcher Pierre-Henri Pezier said.
Pluggable Authentication Modules refers to a suite of shared libraries used to manage user authentication to applications and services in Linux and UNIX-based systems.
Given that PAM modules are loaded into privileged authentication processes, a rogue PAM can enable theft of user credentials, bypass authentication checks, and remain undetected by security tools.
The cybersecurity company said it uncovered multiple Plague artifacts uploaded to VirusTotal since July 29, 2024, with none of them detected by antimalware engines as malicious. What's more, the presence of several samples signals active development of the malware by the unknown threat actors behind it.
Plague boasts of four prominent features: Static credentials to allow covert access, resist analysis and reverse engineering using anti-debugging and string obfuscation; and enhanced stealth by erasing evidence of an SSH session.
This, in turn, is accomplished by unsetting environment variables such as SSH_CONNECTION and SSH_CLIENT using unsetenv, and redirecting HISTFILE to /dev/null to prevent shell command logging, in order otherwise avoid leaving an audit trail.
"Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces," Pezier noted. "Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools."
