Antivirus Vendors Fail To Spot Persistent, Nasty, Stealthy Linux Backdoor

Updated Researchers at German infosec services company Nextron Threat have spotted malware that creates a highly-persistent Linux backdoor and said that antivirus engines did not initially flag the code as malicious.

Nextron researcher Pierre-Henri Pezier says the company named the malware “Plague” as its deobfuscated code contains the text “Uh. Mr. The Plague, sir? I think we have a hacker” – a line from the 1995 film Hackers.

“The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access,” Pezier wrote last week, adding that the malware “integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces. Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools.”

After initial publication of this article, it now appears that security software is recognizing the PAM vulnerability at last, with over 30 engines now identifying the same as malware. Nextron says it didn’t notify security vendors ahead of time as the public release of the technical information “constitutes a responsible disclosure,” it believes.

Pezier said the malware “actively sanitizes the runtime environment to eliminate evidence of an SSH session. Environment variables such as SSH_CONNECTION and SSH_CLIENT are unset using unsetenv, while HISTFILE is redirected to /dev/null to prevent shell command logging.”

The malware appears as a Pluggable Authentication Module (PAM) and uses a variety of techniques to avoid detection, including hiding session logs to evade scanning, implementing a custom string obfuscation system, and concealing itself from debuggers by using the legitimate libselinux.so.8 shared library file name. It also contains hardcoded passwords to allow the operator easy access.

Given PAM’s role in authentication, the backdoor is very worrying. Potentially it could be used to steal user account details and get around standard authentication verification.

Another reason to worry is that Nextron isn’t sure how miscreants would install Plague. Worse still, Pezier wrote that parties unknown uploaded Plague variants to VirusTotal in 2024, but the malware scanning service never flagged the code as malware.

This is nasty malware, but there is one reason to be slightly cheerful: Pezier found no public reports of researchers detecting Plague in the wild.

“The Plague backdoor represents a sophisticated and evolving threat to Linux infrastructure, exploiting core authentication mechanisms to maintain stealth and persistence,” Pezier concludes. “Its use of advanced obfuscation, static credentials, and environment tampering makes it particularly difficult to detect using conventional methods.”

Nextron offers advice

“All samples belong to the same backdoor family, with slight variations in size, compilation toolchains, and obfuscation layers,” Pezier told The Register via email. “They show a clear development timeline, likely reflecting testing and iteration. Most were uploaded from the United States, with one coming from China. That might suggest global use or testing in multiple environments, but without more telemetry, it’s difficult to say whether the uploads reflect real infections, analyst curiosity, or automated sandboxing. Filenames like libselinux.so.8 and libse.so mimic legitimate system libraries, likely to avoid suspicion during deployment.”

Nevertheless Pezier recommends that if admins do have suspicions they should manually check PAM files are legitimate. Nextron has updated its free THOR Lite software to spot anything that looks like it might be the Plague.®

Updated at 1612 UTC to include statement from Nextron and details about antivirus vendors changing their software.

Original Source