New ‘Plague’ Malware Attacks Linux Servers for Persistent SSH Access

New 'Plague' Malware Attacks Linux Servers for Persistent SSH AccessShake Network Technology NewsClick the follow button on the right for the latest technology news!New 'Plague' Malware Attacks Linux Servers for Persistent SSH AccessNew 'Plague' Malware Attacks Linux Servers for Persistent SSH AccessCybersecurity researchers have discovered a complex Linux backdoor program named “Plague” that establishes persistent SSH access by manipulating core authentication mechanisms while evading detection by all major antivirus engines, posing an unprecedented threat to enterprise security.Researchers from Nextron Systems found that this malware represents a paradigm shift in attacks against Linux systems, utilizing Pluggable Authentication Modules (PAM) to achieve near-perfect stealth and system-level persistence.The most concerning feature of this malware is its complete invisibility to traditional security measures. Despite multiple variants being uploaded to the VirusTotal platform over the past year, none of the 66 antivirus engines flagged its samples as malicious, maintaining a perfect detection rate of 0/66.New 'Plague' Malware Attacks Linux Servers for Persistent SSH AccessThis unprecedented evasion capability stems from its deep integration with the Linux authentication infrastructure, operating as a legitimate PAM module while secretly undermining security controls.Part01

Evasion Mechanisms of the “Plague” Malware

“Plague” employs a multi-layered technical approach, combining advanced obfuscation techniques with system-level operations. The malware uses an evolving string obfuscation technique, progressing from simple XOR-based encryption to complex multi-stage algorithms that include Key Scheduling Algorithm (KSA), Pseudo-Random Generation Algorithm (PRGA), and Deterministic Random Bit Generator (DRBG). This evolution reflects the continuous development by threat actors to stay ahead of analysis tools.The malware’s anti-debugging mechanisms verify whether the binary retains its expected filename libselinux.so.8 and checks that the environment variable ld.so.preload is absent. Nextron reports that these checks allow the malware to detect sandbox environments and debuggers that typically rename binaries or utilize preloading mechanisms for analysis. These techniques align with established anti-debugging methods, as the malware verifies the integrity of the execution environment before activating its malicious functions.New 'Plague' Malware Attacks Linux Servers for Persistent SSH AccessString encryption is a key component of “Plague”‘s stealth capabilities. The initial samples used basic XOR operations, where each byte is XORed with a predetermined key. However, recent variants have adopted an RC4-like implementation with custom KSA and PRGA routines. The KSA phase initializes a 256-byte state array through key-dependent permutations, while the PRGA generates a pseudo-random key stream for decrypting obfuscated strings at runtime.“Plague” achieves persistence by masquerading as a legitimate PAM module, specifically targeting the pam_sm_authenticate() function responsible for user credential verification. This method exploits PAM’s modular architecture, where the authentication process dynamically loads shared libraries based on configuration files in /etc/pam.d/. By placing itself in this trusted execution path, “Plague” gains access to plaintext credentials and authentication decisions.New 'Plague' Malware Attacks Linux Servers for Persistent SSH AccessThe malware implements static password authentication, allowing attackers to bypass normal credential verification through a hardcoded backdoor password. This technique reflects documented PAM backdoor methods, where the malicious module unconditionally returns PAM_SUCCESS for specific credential combinations. The implant’s integration with the authentication stack ensures its survival after system updates and operates with elevated privileges inherent to the authentication process.“Plague” demonstrates a profound understanding of Linux forensic artifacts through comprehensive session concealment mechanisms. The malware systematically removes evidence of SSH connections by unsetting key environment variables (including SSH_CONNECTION, SSH_CLIENT, and SSH_TTY). These variables typically contain connection metadata such as client IP addresses, port numbers, and terminal information, which system administrators rely on for audit trails.Additionally, “Plague” redirects the HISTFILE environment variable to /dev/null, effectively preventing shell command history from being recorded. This technique ensures that the attacker’s activities leave no traces in the bash history files, which are often checked during incident response. The malware’s understanding of Linux forensic procedures indicates that the developers possess significant operational security expertise.Analysis of compiled artifacts reveals ongoing active development across multiple environments and timeframes. Seven different samples compiled between July 2024 and March 2025 show continuous improvements, with compiler metadata indicating these builds originate from Debian, Ubuntu, and Red Hat systems. The geographical distribution of VirusTotal submissions is primarily from the United States, with one sample from China, suggesting possible widespread deployment or deliberate misdirection.The malware contains a cultural reference to the 1995 film “Hackers,” displaying the message “Uh, Mr. Plague? I think we have a hacker” after successfully bypassing authentication. This Easter egg is only visible after deobfuscation, providing clues about the threat actor’s cultural background and potentially attributing them to a Western threat organization familiar with classic hacker culture.The emergence of “Plague” highlights critical vulnerabilities in traditional endpoint security approaches that heavily rely on signature-based detection. The malware’s ability to achieve zero detection across 66 antivirus engines indicates the limitations of traditional security tools when faced with new attack vectors that exploit trusted system components.Attacks targeting PAM infrastructure represent a strategic evolution in Linux malware, shifting from application-layer attacks to focusing on foundational system components. This approach allows attackers to maintain access regardless of application updates or security patches, as the authentication layer continues to harbor vulnerabilities. Security teams must implement PAM module integrity checks and monitor for modifications to the authentication subsystem to detect similar threats.Indicators of CompromiseNew 'Plague' Malware Attacks Linux Servers for Persistent SSH AccessOrganizations should immediately audit PAM configurations, verify the integrity of authentication modules, and implement monitoring for suspicious authentication patterns. The complexity of this malware indicates it possesses nation-state or Advanced Persistent Threat (APT) capabilities, necessitating enhanced security posture for critical infrastructure and defense contractors.New 'Plague' Malware Attacks Linux Servers for Persistent SSH AccessNew 'Plague' Malware Attacks Linux Servers for Persistent SSH Access

Share

New 'Plague' Malware Attacks Linux Servers for Persistent SSH Access

Collect

New 'Plague' Malware Attacks Linux Servers for Persistent SSH Access

Like

New 'Plague' Malware Attacks Linux Servers for Persistent SSH Access

View

Leave a Comment