Threat actors have been targeting Linux systems with the novel Plague backdoor that conceals itself as a nefarious Pluggable Authentication Module and enables both authentication bypass and persistent SSH access, Security Affairs reports.
Despite initially including XOR encryption alone, later iterations of Plague have been integrated with custom KSA/PRGA-like routines and a deterministic random bit generator layer that prevents malware analysis, according to findings from Nextron Systems researchers. Aside from anti-debugging capabilities, Plague has also been built in with SSH session sanitization and shell history redirection to /dev/null features in a bid to bolster stealth and persistence. "The Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence. Its use of advanced obfuscation, static credentials, and environment tampering makes it particularly difficult to detect using conventional methods," researchers added.
Despite initially including XOR encryption alone, later iterations of Plague have been integrated with custom KSA/PRGA-like routines and a deterministic random bit generator layer that prevents malware analysis, according to findings from Nextron Systems researchers. Aside from anti-debugging capabilities, Plague has also been built in with SSH session sanitization and shell history redirection to /dev/null features in a bid to bolster stealth and persistence. "The Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence. Its use of advanced obfuscation, static credentials, and environment tampering makes it particularly difficult to detect using conventional methods," researchers added.




