Security researchers have uncovered a sophisticated Linux backdoor, referred to as “Plague,” that stealthily infiltrates systems without detection by conventional tools like VirusTotal. This malware operates as a malicious pluggable authentication module (PAM), enabling attackers to bypass authentication processes and establish ongoing secure shell (SSH) access.
According to Nextron researchers, “Plague” integrates seamlessly into the authentication stack of Linux, disguised as a trusted PAM module. It works through a shared library file (libselinus.so.8), hijacking critical functions used for verifying user credentials during login. Since its appearance on July 29, 2024, the threatening software has evolved with multiple variants.
The unique architecture of Plague allows it to evade system upgrades, operating underneath the radar by leaving minimal forensic traces. Its exploitation method means that no separate malware loader is necessary; the backdoor activates whenever the PAM stack is utilized, such as during SSH sessions.
Interestingly, Plague has proven impervious to traditional antivirus detection methods. Multiple variants uploaded to VirusTotal have been flagged as safe by all submitting antivirus engines, indicating that the malware has gone undetected across various systems.
One of Plague’s key features lies in its advanced obfuscation techniques employed during its creation. Early iterations utilized primitive XOR encoding, which later progressed to more intricate encryption methods, making it cumbersome for even experienced security tools to analyze.
The origin of Plague remains unclear, though some of its de-obfuscation routines contain hints related to popular culture, specifically referencing the film “Hackers” in a generated message.
To combat threats like Plague, experts recommend implementing behavioral and memory-based forensic strategies. Security teams should actively audit PAM configurations, monitor for new shared library files within the /lib/security/ directory, and be vigilant against signs of environment tampering.
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
