Security researchers at Nextron Systems have discovered a stealthy backdoor for Linux systems, called Plague, that uses a malicious authentication module to silently gain access to servers.
The malware targets the Pluggable Authentication Modules (PAM) system, a core part of how Linux handles user logins. Although samples of Plague have been circulating since July 2024, they remained undetected by all major antivirus engines on VirusTotal.
How the Backdoor Works
Plague is inserted as a rogue PAM module and activated during the login process — particularly over SSH. It allows attackers to bypass normal password checks and log in using hardcoded credentials, giving them full access to the system.
The backdoor includes several stealth techniques to stay hidden:
- Custom obfuscation: Early versions used simple encoding, while newer variants use more advanced encryption to hide strings and code.
- Anti-analysis features: The malware avoids being loaded from suspicious locations and disables debugging.
- Clean-up routines: It removes traces of its activity by unsetting environment variables and discarding shell history.
Researchers found multiple versions of the backdoor under names like libselinux.so.8, with some disguised to look like legitimate system files. Updates over time show improved stealth and added functionality, pointing to active development.
Interestingly, one version even includes a reference to the 1995 movie Hackers, with the line:
“Uh. Mr. The Plague, sir? I think we have a hacker.”
Why It Matters
By hiding inside the PAM system, Plague can:
- Steal login credentials
- Grant attackers persistent access through SSH
- Evade detection by traditional security tools
- Leave little to no trace in system logs
This makes it particularly dangerous on high-value Linux systems such as bastion hosts, jump servers, and cloud infrastructure, because these systems typically serve as critical access points or centralized control nodes within an organization's network. A compromised bastion host or jump server can provide attackers with a foothold to move laterally across internal systems, escalate privileges, or exfiltrate sensitive data.
In cloud environments, where automation and scalability are key, a single infected instance can quickly propagate malware or unauthorized access across multiple virtual machines or services. The stealthy nature of the backdoor — especially its ability to integrate with core authentication mechanisms — further amplifies the threat, as it can remain undetected while silently granting access to attackers.
Because Plague is not detected by antivirus tools, Nextron recommends manual inspection and behavior-based detection methods. Suggested steps include:
- Auditing the /lib/security/ directory for unknown or modified PAM modules
- Monitoring PAM configuration files in /etc/pam.d/ for unauthorized changes
- Looking for login anomalies in authentication logs
- Using tools like Nextron’s THOR scanner, which now includes YARA rules for detecting Plague
Plague is a clear example of how attackers are getting smarter at blending into trusted system components. By targeting the very mechanism used to verify user identities, this backdoor gives adversaries long-term access without raising alarms. Organizations using Linux in critical environments should review their PAM configurations, verify system integrity, and adopt more proactive monitoring tools to defend against threats like this.
Leave a Reply