New PamDOORa Linux backdoor sold on cybercrime forum

As reported by The Hacker News, cybersecurity researchers from Flare have uncovered a new Linux backdoor named PamDOORa, being sold for $1,600 on the Rehub Russian cybercrime forum by a threat actor known as "darkworm." This sophisticated tool leverages the Pluggable Authentication Module (PAM) framework to provide persistent SSH access and harvest credentials.

PamDOORa functions as a post-exploitation toolkit, enabling attackers to gain persistent access to Linux systems (x86_64) through a "magic password" and a specific TCP port combination. As a PAM-based backdoor, it operates with root privileges, making it a significant security risk. PAM's modularity allows malicious modifications, which PamDOORa exploits to steal credentials from legitimate users and tamper with authentication logs to erase traces of its activity. This is the second Linux backdoor targeting the PAM stack, following Plague.

While there is no current evidence of PamDOORa being used in real-world attacks, it is believed that attackers first gain root access through other means before deploying the backdoor. The seller, "darkworm," has reduced the price from $1,600 to $900, possibly due to a lack of buyer interest. Researchers note that PamDOORa represents an evolution in operator-grade tooling due to its integrated features and builder pipeline.

Source: The Hacker News