New Undetectable Plague Malware Targeting Linux Servers for Persistent SSH Access
Security researchers have discovered a sophisticated Linux backdoor dubbed “Plague” that has remained undetected by all major antivirus engines despite multiple samples being uploaded to VirusTotal over the past year.
The malicious software operates as a Pluggable Authentication Module (PAM), allowing attackers to silently bypass system authentication and maintain persistent SSH access to compromised Linux systems.
Zero Detection Despite Year-Long Activity
The Plague backdoor represents a significant security concern due to its complete evasion of traditional detection methods.
Despite several variants being uploaded to VirusTotal throughout 2024 and into 2025, not a single antivirus engine among the 66 tested has flagged any sample as malicious.
Analysis of the threat landscape reveals active development and adaptation by the attackers, with samples compiled across different time periods and environments using various GCC compiler versions.
The earliest known sample dates back to July 2024, with the most recent submissions occurring as late as March 2025.
Compilation artifacts show the use of different Linux distributions, including Debian and Ubuntu systems, suggesting widespread deployment across diverse environments.
One particularly intriguing sample named “hijack” may provide clues to the malware’s origins, while hidden references to the 1995 movie “Hackers” appear in deobfuscated code, displaying the message: “Uh. Mr. The Plague, sir? I think we have a hacker.”
Advanced Obfuscation and Stealth Capabilities
Plague employs sophisticated technical features designed to evade detection and analysis.
The backdoor utilizes evolving string obfuscation techniques that have progressed from simple XOR-based encryption to complex methods resembling Key Schedule Algorithm (KSA) and Pseudo-Random Generation Algorithm (PRGA) routines.
The most recent variants incorporate an additional Deterministic Random Bit Generator (DRBG) layer, making analysis increasingly difficult.
Key technical capabilities include:
- Anti-debugging mechanisms that verify the actual filename is “libselinux.so.8” and ensure “ld.so.preload” is not present in environment variables.
- Environment detection to identify and evade sandbox environments and debugging tools that rely on preload mechanisms.
- Active sanitization of runtime environments by unsetting SSH-related variables such as SSH_CONNECTION and SSH_CLIENT.
- History manipulation by redirecting HISTFILE to /dev/null to prevent shell command logging and eliminate audit trails.
.webp "New Undetectable Plague Malware Targeting Linux Servers for Persistent SSH Access 3")
These features allow the malware to operate undetected while systematically removing evidence of attacker activity from both interactive sessions and system history logs.
Detection Methods and Security Implications
Security researchers have developed specialized tools to combat this threat, including a custom string deobfuscation utility using the Unicorn emulation framework within IDA Pro.
The tool safely emulates the malware’s decryption routines without executing the malicious code, allowing analysts to extract and annotate encrypted strings even as obfuscation methods evolve.
Several hardcoded passwords have been identified across different samples, including “Mvi4Odm6tld7,” “IpV57KNK32Ih,” and “changeme,” which enable unauthorized access without proper authentication.
Researchers have released YARA detection rules targeting specific function names like “decrypt_phrase” and “init_phrases” that appear consistently across variants.
The discovery of Plague highlights the critical vulnerability of foundational system components like PAM to sophisticated attacks.
Its ability to persist through system updates while leaving minimal forensic traces demonstrates the evolving threat landscape facing Linux infrastructure.
This case underscores the importance of proactive threat hunting using behavioral analysis and specialized detection tools beyond traditional antivirus solutions.
Indicators of Compromise (IoCs):
| SHA-256 | Size (KB) | Filename | First Submission | Submit From | Compilation Artifacts |
|---|---|---|---|---|---|
| 85c66835657e3ee6a478a2e0b1fd3d87119bebadc43a16814c30eb94c53766bb | 36.18 | libselinux.so.8 | 2024-07-29 17:55:52 | USA | GCC: (Debian 10.2.1-6) 10.2.1 20210110 |
| 7c3ada3f63a32f4727c62067d13e40bcb9aa9cbec8fb7e99a319931fc5a9332e | 41.65 | libselinux.so.8 | 2024-08-02 21:10:51 | USA | GCC: (Debian 10.2.1-6) 10.2.1 20210110 |
| 9445da674e59ef27624cd5c8ffa0bd6c837de0d90dd2857cf28b16a08fd7dba6 | 49.55 | libselinux.so.8 | 2025-02-04 16:53:45 | USA | GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0 |
| 5e6041374f5b1e6c05393ea28468a91c41c38dc6b5a5230795a61c2b60ed14bc | 58.77 | libselinux.so.8 | 2025-02-09 21:27:32 | USA | GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0 |
| 6d2d30d5295ad99018146c8e67ea12f4aaa2ca1a170ad287a579876bf03c2950 | 49.59 | hijack | 2025-02-10 03:07:24 | CHINA | GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0 |
| e594bca43ade76bbaab2592e9eabeb8dca8a72ed27afd5e26d857659ec173261 | 109.67 | libselinux.so.8 | 2025-02-13 22:58:43 UTC | USA | stripped |
| 14b0c90a2eff6b94b9c5160875fcf29aff15dcfdfd3402d953441d9b0dca8b39 | 41.77 | libse.so | 2025-03-22 18:46:36 | USA |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
