Malicious software bypasses antivirus protections, causing a destructive outbreak on your devices
New Linux Malware, Plague, Poses Threat to High-Security Systems
A new, highly stealthy Linux malware known as Plague is causing concern among cybersecurity experts, particularly for high-value targets such as universities and governments. Named after a character from the 1995 movie Hackers, Mr. Plague, this malware operates deep within the Linux authentication framework, bypassing normal authentication checks to maintain persistent, hidden SSH access to compromised systems [1][2][3].
Plague integrates as a malicious Pluggable Authentication Module (PAM), a critical component for Linux authentication. This integration grants the malware privileged access to user credentials and authentication processes [3]. To evade detection, Plague uses advanced obfuscation, static credentials, and environment tampering. It employs string obfuscation, anti-debugging, and erases session traces by removing environment variables like and redirecting command history logs to [1][2].
The malware also sanitises the runtime environment to remove any audit trails or login metadata, making it difficult for system administrators to spot suspicious activity [2]. Moreover, Plague maintains persistence even through software updates and patches, ensuring long-term access to compromised systems [3][4]. It also includes hardcoded static passwords for covert access, facilitating attacker entry without normal login procedures [1][2][5].
The implications of a Plague infection are significant. A compromised cloud environment could grant the attackers access to multiple virtual machines or services all at once. A compromised bastion host or jump server can provide attackers with a foothold to move laterally across internal systems, escalate privileges, or exfiltrate sensitive data [6].
To mitigate the risk of a Plague infection, system administrators are advised to manually inspect their devices for shady PAM modules, monitor PAM configuration files for changes, and look for suspicious logins in authentication logs [7]. They should also audit the directory for suspicious PAM modules and the directory for changes in PAM configuration files [8].
Despite multiple samples of Plague being uploaded to VirusTotal over the past year, none were flagged as malicious [4]. This underscores the importance of vigilance and proactive measures in protecting high-security systems. Plague is a highly capable Linux malware that, if left unchecked, could cause significant damage.
Technology-focused cybersecurity experts are voicing concerns about the new Linux malware, Plague, which integrates as a malicious Pluggable Authentication Module (PAM), using advanced obfuscation, static credentials, and environmental tampering to maintain persistent, hidden SSH access to compromised systems. Its integration grants the malware privileged access to user credentials and authentication processes, posing a threat to high-security systems.
