A newly discovered Linux malware, which has evaded detection for over a year, allows attackers to gain persistent SSH access and bypass authentication on compromised systems.
Nextron Systems security researchers, who identified the malware and dubbed it “Plague,” describe it as a malicious Pluggable Authentication Module (PAM) that uses layered obfuscation techniques and environment tampering to avoid detection by traditional security tools.
This malware features anti-debugging capabilities to thwart analysis and reverse engineering attempts, string obfuscation to make detection more difficult, hardcoded passwords for covert access, as well as the ability to hide session artifacts that would normally reveal the attacker’s activity on infected devices.
Once loaded, it will also scrub the runtime environment of any traces of malicious activity by unsetting SSH-related environment variables and redirecting command history to /dev/null to prevent logging, eliminating audit trails and login metadata, and erasing the attacker’s digital footprint from system history logs and interactive sessions.
“Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces. Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools,” threat researcher Pierre-Henri Pezier said.
“The malware actively sanitizes the runtime environment to eliminate evidence of an SSH session. Environment variables such as SSH_CONNECTION and SSH_CLIENT are unset using unsetenv, while HISTFILE is redirected to /dev/null to prevent shell command logging.”
While analyzing the malware, the researchers also discovered compilation artifacts indicating active development over an extended period, with samples compiled using various GCC versions across different Linux distributions.
Additionally, although multiple variants of the backdoor have been uploaded to VirusTotal over the past year, none of the antivirus engines have flagged them as malicious, suggesting that the creators of the malware have been operating undetected.
“The Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence,” Pezier added. “Its use of advanced obfuscation, static credentials, and environment tampering makes it particularly difficult to detect using conventional methods.”
In May, Nextron Systems discovered another malware exploiting the flexibility of the PAM (Pluggable Authentication Modules) Linux authentication infrastructure, which enables its creators to steal credentials, bypass authentication, and gain stealthy persistence on compromised devices.
Malware targeting password stores surged 3X as attackers executed stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.
Discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.