A newly discovered Linux malware, dubbed “Plague,” has been evading detection for over a year. This malicious Pluggable Authentication Module (PAM) uses layered obfuscation techniques and environment tampering to bypass authentication on compromised systems.
The malware features anti-debugging capabilities, string obfuscation, hardcoded passwords, and the ability to hide session artifacts. Once loaded, it scrubbs the runtime environment of any traces of malicious activity by unsetting SSH-related environment variables and redirecting command history to /dev/null.
This makes it exceptionally hard to detect using traditional tools, according to threat researcher Pierre-Henri Pezier. “The Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure,” he said.
The malware’s creators have been operating undetected despite uploading multiple variants of the backdoor to VirusTotal over the past year. The use of advanced obfuscation, static credentials, and environment tampering makes it particularly difficult to detect using conventional methods.
This new threat highlights the importance of robust security measures in Linux infrastructure, particularly those that address authentication mechanisms and persistence. As more malware exploits vulnerabilities in authentication systems, it is essential for organizations to stay vigilant and implement effective countermeasures to prevent such attacks.
Source: https://www.bleepingcomputer.com/news/security/new-plague-malware-backdoors-linux-devices-removes-ssh-session-traces