- Nextron Systems found a malicious Pluggable Authentication Module
- They named it Plague after finding pop culture references
- The malware is capable of wreaking havoc across high-value targets
Security researchers have found a piece of highly capable Linux malware which somehow flew the radar for a year.
Nextron Systems reported finding Plague, a malicious Pluggable Authentication Module (PAM) that grants attackers persistent, covert access to compromised systems.
“The Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence,” the researchers explained. “Its use of advanced obfuscation, static credentials, and environment tampering makes it particularly difficult to detect using conventional methods.”
Manual inspection
The malware was named Plague after finding a reference to Mr. Plague, a character from the 1995 movie Hackers, in its code.
The researchers said that multiple samples were uploaded to VirusTotal over the past year, yet none were flagged as malicious, which could indicate the backdoor managed to evade public scrutiny and antivirus detection.
Plague integrates deeply into the authentication stack, survives system updates, and leaves minimal forensic traces, the experts explained.
It employs evolving string obfuscation techniques, including XOR, KSA/PRGA-like routines, and DRBG layer. It also features anti-debugging checks and session stealth mechanisms that erase all traces of activity. Compiler metadata also showed that it is in active development.
For cybercriminals, there are multiple benefits to malware hiding inside PAM systems.
According to a CyberInsider report, Plague can steal login credentials, making it particularly dangerous on high-value Linux systems such as bastion hosts, jump servers, and cloud infrastructure.
“A compromised bastion host or jump server can provide attackers with a foothold to move laterally across internal systems, escalate privileges, or exfiltrate sensitive data,” the publication argues.
Furthermore, a compromised cloud environment could grant the attackers access to multiple virtual machines or services all at once.
Since Plague is still not being flagged by the best antivirus tools, Nextron advises admins to manually inspect their devices, including auditing the /lib/security directory for shady PAM modules, monitoring PAM configuration files in /etc/pam.d/ for changes, and looking for suspicious logins in authentication logs.
Via The Register