New Undectable Plague Malware Attacking Linux Servers to Gain Persistent SSH Access
A sophisticated Linux backdoor dubbed Plague has emerged as an unprecedented threat to enterprise security, evading detection across all major antivirus engines while establishing persistent SSH access through manipulation of core authentication mechanisms.
Discovered by cybersecurity researchers at Nextron Systems, this malware represents a paradigm shift in Linux-targeted attacks, exploiting Pluggable Authentication Modules (PAM) to achieve near-perfect stealth and system-level persistence.
The malware’s most alarming characteristic is its complete invisibility to traditional security measures. Despite multiple variants being uploaded to VirusTotal over the past year, zero antivirus engines flagged any samples as malicious, achieving a perfect 0/66 detection rate.
This unprecedented evasion capability stems from its integration into Linux’s fundamental authentication infrastructure, where it operates as a legitimate PAM module while subverting security controls.
Plague Malware Evasion Mechanisms
Plague operates through a multi-layered approach that combines advanced obfuscation with system-level manipulation. The malware employs evolving string obfuscation techniques that have progressed from simple XOR-based encryption to sophisticated multi-stage algorithms incorporating Key Scheduling Algorithm (KSA), Pseudo-Random Generation Algorithm (PRGA), and Deterministic Random Bit Generator (DRBG) layers. This progression reflects continuous development by threat actors to stay ahead of analysis tools.
The malware’s antidebug mechanisms verify that the binary maintains its expected filename libselinux.so.8 and checks for the absence of ld.so.preload in environment variables.
These checks enable the malware to detect sandbox environments and debuggers that commonly rename binaries or utilize preloading mechanisms for analysis, reads the Nextron report.
Such techniques align with established antidebug methodologies where malware verifies execution environment integrity before activating malicious functionality.
String encryption represents a critical component of Plague’s stealth capabilities. Initial samples utilized basic XOR operations, where each byte undergoes bitwise exclusive-or with a predetermined key.
However, recent variants have adopted RC4-like implementations featuring custom KSA and PRGA routines. The KSA phase initializes a 256-byte state array through key-dependent permutations, while PRGA generates a pseudorandom keystream for decrypting obfuscated strings during runtime.
Plague achieves persistence by masquerading as a legitimate PAM module, specifically targeting the pam_sm_authenticate() function responsible for user credential verification.
This approach exploits PAM’s modular architecture, where authentication processes load shared libraries dynamically based on configuration files in /etc/pam.d/. By positioning itself within this trusted execution path, Plague gains access to plaintext credentials and authentication decisions.
| Feature | Description | Purpose / Benefit for Attacker |
|---|---|---|
| Antidebug | Implements checks (e.g., filename, environment vars) to evade debuggers | Prevents detection by analysts and sandboxes |
| String Obfuscation | Multi-layer encryption of strings and offsets inside the binary | Hides sensitive info, evades signature-based AV |
| Static Password | Hardcoded credentials into PAM module | Enables persistent, covert SSH access |
| Hidden Session Artifacts | Sanitizes environment, unsets vars, disables shell history | Erases evidence of intrusion and usage |
The malware implements static password authentication, allowing attackers to bypass normal credential verification through hardcoded backdoor passwords.
This technique mirrors documented PAM backdoor methodologies where malicious modules return PAM_SUCCESS unconditionally for specific credential combinations. The implant’s integration into the authentication stack ensures it survives system updates and operates with elevated privileges inherent to authentication processes.
Plague demonstrates a sophisticated understanding of Linux forensic artifacts through comprehensive session stealth mechanisms. The malware systematically removes evidence of SSH connections by unsetting critical environment variables, including SSH_CONNECTION, SSH_CLIENT, and SSH_TTY.
These variables normally contain connection metadata such as client IP addresses, port numbers, and terminal information that system administrators rely on for audit trails.
Additionally, Plague redirects the HISTFILE environment variable to /dev/null, effectively prevent shell command history from being recorded.
This technique ensures that attacker activities leave no trace in bash history files, which are commonly examined during incident response. The malware’s knowledge of Linux forensic procedures suggests development by actors with significant operational security expertise.
Analysis of compilation artifacts reveals active, sustained development spanning multiple environments and timeframes. Seven distinct samples compiled between July 2024 and March 2025 demonstrate continuous refinement, with compiler metadata indicating builds on Debian, Ubuntu, and Red Hat systems.
The geographic distribution of VirusTotal submissions primarily from the United States, with one sample from China, suggests either widespread deployment or deliberate misdirection.
The malware contains a cultural reference to the 1995 film “Hackers,” displaying the message “Uh. Mr. The Plague, sir? I think we have a hacker.” after successful authentication bypass.
This easter egg, visible only after deobfuscation, provides insight into the threat actors’ cultural background and potentially their attribution to Western threat groups familiar with classic hacker culture.
Plague’s emergence highlights critical vulnerabilities in traditional endpoint security approaches that rely heavily on signature-based detection.
The malware’s ability to achieve zero detection across 66 antivirus engines demonstrates the limitations of conventional security tools when faced with novel attack vectors that exploit trusted system components.
The targeting of PAM infrastructure represents a strategic evolution in Linux malware, moving beyond application-layer attacks to focus on foundational system components.
This approach enables attackers to maintain access regardless of application updates or security patches, as the authentication layer remains consistently vulnerable. Security teams must implement PAM module integrity checking and monitor authentication subsystem modifications to detect similar threats.
IoC List
| SHA-256 | Size | Filename | First Submission | Country | Compiler |
|---|---|---|---|---|---|
| 85c66835657e3ee6a478a2e0b1fd3d87119bebadc43a16814c30eb94c53766bb | 36.18 KB | libselinux.so.8 | 2024-07-29 17:55:52 | USA | GCC: (Debian 10.2.1-6) 10.2.1 20210110 |
| 7c3ada3f63a32f4727c62067d13e40bcb9aa9cbec8fb7e99a319931fc5a9332e | 41.65 KB | libselinux.so.8 | 2024-08-02 21:10:51 | USA | GCC: (Debian 10.2.1-6) 10.2.1 20210110 |
| 9445da674e59ef27624cd5c8ffa0bd6c837de0d90dd2857cf28b16a08fd7dba6 | 49.55 KB | libselinux.so.8 | 2025-02-04 16:53:45 | USA | GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0 |
| 5e6041374f5b1e6c05393ea28468a91c41c38dc6b5a5230795a61c2b60ed14bc | 58.77 KB | libselinux.so.8 | 2025-02-09 21:27:32 | USA | GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0 |
| 6d2d30d5295ad99018146c8e67ea12f4aaa2ca1a170ad287a579876bf03c2950 | 49.59 KB | hijack | 2025-02-10 03:07:24 | CHINA | GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0 |
| e594bca43ade76bbaab2592e9eabeb8dca8a72ed27afd5e26d857659ec173261 | 109.67 KB | libselinux.so.8 | 2025-02-13 22:58:43 UTC | USA | stripped |
| 14b0c90a2eff6b94b9c5160875fcf29aff15dcfdfd3402d953441d9b0dca8b39 | 41.77 KB | libse.so | 2025-03-22 18:46:36 | USA | GCC: (GNU) 4.8.5 20150623 (Red Hat 4.8.5-44) |
Organizations should immediately audit PAM configurations, verify the integrity of authentication modules, and implement monitoring for suspicious authentication patterns.
The malware’s sophistication indicates state-level or advanced persistent threat capabilities, warranting elevated security postures for critical infrastructure and defense contractors.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
