Listen to this Post
Introduction:
The “Silent Authenticator” challenge on MalOps.io simulates a critical real-world threat: backdoors within Linux’s Pluggable Authentication Modules (PAM). This foundational security framework is a prime target for advanced attackers seeking undetectable, persistent access to servers and networks. By compromising PAM, threats like the recently discovered “Plague” backdoor can bypass authentication, harvest credentials, and erase their tracks, posing a severe risk to enterprise security.
Learning Objectives:
- Understand how attackers subvert Linux PAM to create stealthy backdoors and harvest credentials.
- Analyze advanced obfuscation techniques, including XOR and custom encryption, used to hide malicious payloads.
- Master forensic techniques to detect timestomping and uncover artifacts left by authentication-based compromises.
You Should Know:
- Anatomy of a PAM Backdoor: Bypassing Linux Authentication
A PAM backdoor works by injecting malicious code into the Linux authentication process. Attackers typically modify or replace legitimate PAM modules (shared library files in `/lib/security/` or/lib64/security/). A common method is patching the `pam_unix_auth.c` source code to introduce a hardcoded backdoor password check. When this password is used, the module returns `PAM_SUCCESS` without validating against the real credentials, granting unauthorized access. Real-world malware like “Plague” uses this technique, allowing attackers SSH access with a static password, effectively impersonating any user on the system.
Step-by-step guide explaining what this does and how to use it.
1. Target Identification: An attacker gains initial foothold on a Linux system, often via an exploit like React2Shell (CVE-2025-55182) which allows remote code execution.
2. Privilege Escalation: The attacker escalates to root to modify critical PAM files.
3. Backdoor Deployment: The original PAM module (e.g., pam_unix.so) is replaced. In the “Plague” case, a malicious file named `libselinux.so.8` is placed in a PAM directory.
4. Persistence Establishment: The system’s PAM configuration (/etc/pam.d/) is updated to load the malicious module, ensuring it runs during every authentication attempt.
5. Covert Access: Attackers can now log in via SSH or `su` using the hardcoded backdoor password, blending in with normal traffic.
2. Credential Harvesting and Exfiltration Mechanisms
Beyond simple access, sophisticated PAM backdoors are designed to steal credentials from every user who logs in. The malicious module hooks the `pam_sm_authenticate()` function, intercepting the username and plaintext password before the legitimate authentication process occurs. These credentials are often stored locally or exfiltrated to a Command & Control (C2) server. This provides attackers with a growing repository of valid credentials for lateral movement across the network.
Step-by-step guide explaining what this does and how to use it.
1. Function Hooking: The malicious PAM module implements the standard `pam_sm_authenticate` function, which is called during login.
2. Credential Capture: Within this function, code is added to copy the `user` and `p` (password) arguments.
3. Data Processing: Captured credentials may be encrypted or encoded in memory.
4. Exfiltration: The malware sends the data to a C2 server via a network connection. To avoid detection, it might use DNS tunneling or encrypt the data to blend with normal traffic.
5. Legitimate Passthrough: After stealing the credentials, the function calls the real authentication logic, so the user’s login proceeds normally and no suspicion is raised.
3. Obfuscation and Anti-Analysis Techniques
To evade signature-based detection and hinder analysis, PAM backdoors employ advanced obfuscation. The “Plague” backdoor, for example, uses multiple layers: initial XOR encryption, a custom routine resembling a stream cipher (KSA/PRGA), and a third DRBG (Deterministic Random Bit Generator) layer. It also performs anti-debug checks, verifying its filename is `libselinux.so.8` and that `LD_PRELOAD` is not in use—common in sandbox environments.
Step-by-step guide explaining what this does and how to use it.
String Hiding: Sensitive strings (C2 IPs, passwords) are encrypted within the binary. A decryption function (init_phrases, decrypt_phrase) is called at runtime to reveal them in memory only.
Anti-Debugging: The malware checks its runtime environment. A simple check in Bash or within the code might look like:
Example of an environment check a malware might perform if [ -n "$LD_PRELOAD" ]; then exit 1 Suspects analysis, exits fi
Forensic Countermeasures: To erase traces, it unsets environment variables like `SSH_CONNECTION` and `SSH_CLIENT` and sets `HISTFILE` to `/dev/null` to prevent command history logging.
4. Timestomping: The Art of Anti-Forensics
Timestomping (MITRE ATT&CK T1070.006) is the manipulation of file timestamps to hide malicious activity and thwart forensic timelines. Attackers use it to make backdoor files appear old or to match the timestamps of legitimate system files. In Linux, the primary tool is the `touch` command.
Step-by-step guide explaining what this does and how to use it.
1. Identify a Target File: The attacker has a malicious file, malicious_pam.so, they wish to hide.
2. Choose a Reference: They select a legitimate system file, e.g., /lib/security/pam_unix.so.bak.
3. Execute Timestomping: They copy the timestamps from the legitimate file to the malicious one:
touch -r /lib/security/pam_unix.so.bak /lib/security/malicious_pam.so
This sets the access (atime) and modification (mtime) times of the malicious file to match the original.
4. Advanced Manipulation: To set a specific arbitrary timestamp:
touch -t 202501011200.00 malicious_pam.so Sets timestamp to Jan 1, 2025, 12:00:00
Note: The change time (ctime) cannot be set this way and will update to the moment the timestamp was altered, which is a key forensic indicator.
5. Forensic Investigation: Hunting for PAM Backdoors
Detecting these stealthy threats requires looking beyond basic file scans. Focus on behavioral anomalies and forensic artifacts.
Step-by-step guide explaining what this does and how to use it.
1. Verify PAM Module Integrity: Use hashing to find unknown files in PAM directories.
Generate hashes of all PAM modules and compare against a known-good baseline
find /lib/security /lib64/security -name ".so" -exec md5sum {} \;
2. Analyze Critical Logs: Scrutinize authentication logs for anomalies.
Check for successful logins outside normal hours or from unusual locations grep "Accepted password" /var/log/auth.log | tail -50 Look for PAM module load errors grep "pam_" /var/log/syslog | grep -i fail
3. Inspect Processes and Memory: Look for signs of credential dumping.
Check for processes accessing PAM or SSH memory regions suspiciously ps aux | grep -E '(ssh|pam)' | grep -v grep
4. Check for Timestamp Discrepancies: Use the `stat` command to identify timestomping.
stat /lib/security/pam_unix.so
Look for a mismatch where the `Change` time (ctime) is newer than the `Modify` time (mtime), or if the nanosecond precision is zeroed out (e.g., .000000000), suggesting manual alteration.
5. Review Scheduled Tasks: Attackers may use cron jobs to reinfect or maintain persistence.
ls -la /etc/cron /var/spool/cron/ cat /var/spool/cron/crontabs/ 2>/dev/null
6. Building Defenses: Detection and Mitigation Strategies
Proactive defense is multi-layered, combining system hardening, continuous monitoring, and behavioral detection.
Step-by-step guide explaining what this does and how to use it.
1. Implement File Integrity Monitoring (FIM): Use tools like AIDE or Osquery to monitor critical directories (/etc/pam.d/, /lib/security/) for unauthorized changes.
2. Enable Detailed Auditing: Configure `auditd` to log critical events.
Monitor executions of 'touch' and 'date' commands for timestomping auditctl -a always,exit -F arch=b64 -S execve -F path=/usr/bin/touch -k timestomp auditctl -a always,exit -F arch=b64 -S execve -F path=/bin/date -k timestomp Monitor writes to PAM configuration and module directories auditctl -w /etc/pam.d/ -p wa -k pam_config auditctl -w /lib64/security/ -p wa -k pam_modules
3. Use Behavioral EDR/SIEM Rules: Deploy rules that trigger on anomalies, such as:
A successful SSH login where the preceding password authentication log is missing.
The loading of a PAM module from a non-standard path.
Parent-child process relationships where a web or non-privileged process spawns a compiler (gcc) to build PAM source code.
4. Hunt with YARA: Deploy custom YARA rules to scan for indicators of tools like “Plague” in memory and on disk. Rules can look for signatures like the function names `init_phrases` and decrypt_phrase.
What Undercode Say:
- The Lowest Code Wins: Modern threats demonstrate that sophisticated compromise doesn’t require millions of lines of code. A malicious PAM module under 100 lines can control a critical authentication choke point, rendering many perimeter defenses useless. This underscores the need for defense-in-depth focused on core system integrity.
- The Detection Gap is Behavioral: The fact that real PAM backdoors like “Plague” and others initially had zero detections on VirusTotal highlights the failure of purely signature-based AV. Effective defense requires a shift to detecting behavioral anomalies—deviations in authentication flow, unexpected module loads, and timestamp inconsistencies—that reveal malicious intent regardless of the binary’s signature.
Prediction:
The convergence of cloud-native infrastructure and increasingly sophisticated Linux malware will drive the next evolution of these threats. We predict a rise in fileless PAM backdoors that perform in-memory patching of legitimate modules without touching disk, and cloud-aware backdoors that specifically target orchestration tools (like Kubernetes) and cloud identity services. Furthermore, the automation of attack chains—using exploits like React2Shell for initial access, followed by automated deployment of stealthy PAM implants—will make these campaigns faster and more scalable. Defenders must adapt by integrating cloud telemetry, deepening runtime protection for critical system processes, and automating threat-hunting for authentication anomalies across hybrid environments.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Gameel Ali – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
