Nextron Threat identified a malware named 'Plague' that creates a highly persistent Linux backdoor, undetected by antivirus. This malware functions as a malicious PAM, allowing attackers to bypass authentication and gain persistent SSH access. It integrates into the authentication stack, survives system updates, and minimizes forensic traceability. The malware sanitizes its runtime environment to erase SSH session evidence, employs obfuscation techniques, and disguises itself using legitimate file names. It also includes hardcoded passwords for easy operator access. There are uncertainties about how 'Plague' is installed, and variants have appeared on VirusTotal without a malicious flag.
The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access.
The malware actively sanitizes the runtime environment to eliminate evidence of an SSH session, unsetting variables and redirecting shells to avoid detection.
Plague uses a variety of techniques to avoid detection, including hiding session logs, implementing a custom string obfuscation system, and concealing itself from debuggers.
Nextron isn't sure how miscreants would install Plague, and variants uploaded to VirusTotal in 2024 were never flagged as malicious.
Collection
[
|
...
]