Plague Linux Backdoor

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: None

Executive Summary

Researchers have uncovered Plague, a previously undetected Linux backdoor masquerading as a malicious Pluggable Authentication Module (PAM) to enable persistent SSH access and authentication bypass. This implant's layered obfuscation and environment tampering allow it to evade detection, persisting across system updates with minimal forensic traces.

Key Takeaways

• Plague integrates into Linux authentication stacks as libselinux.so.8, using static passwords like "Mvi4Odm6tld7" and "changeme" for covert entry.
• Evolving obfuscation techniques, from XOR to KSA/PRGA and DRBG layers, complicate reverse engineering and static analysis.
• Antidebug checks verify filenames and environment variables to avoid sandboxes, while session artifacts are erased to eliminate traces.

What is Plague?

In a recent discovery, security researchers at Nextron Systems identified a sophisticated Linux implant dubbed Plague, which operates as a malicious PAM module to subvert authentication processes. By posing as legitimate libraries such as libselinux.so.8, the backdoor grants attackers unauthorized SSH access without triggering alerts, ensuring long-term persistence even through system upgrades. This threat's stealth stems from its deep integration into core system components, rendering it invisible to standard monitoring tools. 

Analysis of seven samples revealed consistent traits, including compilation with various GCC versions like Debian 10.2.1 and Ubuntu 13.3.0. All binaries remain undetected by antivirus engines, underscoring the implant's effectiveness. One sample, named "hijack," originated from a submission in China, while others came from the United States, but these reflect upload locations rather than deployment sites. A hidden message referencing the movie "Hackers"—"Uh. Mr. The Plague, sir? I think we have a hacker."—appears post-deobfuscation, adding a cultural nod to the malware's design.

Plague's capabilities include antidebug measures that check for the exact filename and absence of ld.so.preload in environment variables, halting execution in analysis environments. String obfuscation evolves across variants: early ones employ simple XOR decryption via an init_phrases routine, progressing to custom Key Scheduling Algorithm (KSA) and Pseudo-Random Generation Algorithm (PRGA) methods, with the latest incorporating Deterministic Random Bit Generator (DRBG) for added complexity. These layers protect sensitive strings and their memory offsets, necessitating advanced tools for extraction and annotation.

For stealth, the implant unsets variables such as SSH_CONNECTION and SSH_CLIENT using unsetenv, and redirects HISTFILE to /dev/null to prevent logging. Static passwords, including "IpV57KNK32Ih" and a "bkr=1" flag for safe environment verification, facilitate backdoor access. This combination erases session artifacts, leaving no audit trails. This backdoor highlights vulnerabilities in PAM-based systems, echoing prior analyses of similar implants. Plague's adaptability suggests ongoing refinement by unidentified actors. 

IOCs

PolySwarm has multiple samples of Plague.

85c66835657e3ee6a478a2e0b1fd3d87119bebadc43a16814c30eb94c53766bb

7c3ada3f63a32f4727c62067d13e40bcb9aa9cbec8fb7e99a319931fc5a9332e

9445da674e59ef27624cd5c8ffa0bd6c837de0d90dd2857cf28b16a08fd7dba6

5e6041374f5b1e6c05393ea28468a91c41c38dc6b5a5230795a61c2b60ed14bc

6d2d30d5295ad99018146c8e67ea12f4aaa2ca1a170ad287a579876bf03c2950

e594bca43ade76bbaab2592e9eabeb8dca8a72ed27afd5e26d857659ec173261

14b0c90a2eff6b94b9c5160875fcf29aff15dcfdfd3402d953441d9b0dca8b39

You can use the following CLI command to search for all Plague samples in our portal:

$ polyswarm link list -f Plague

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.