Security experts have unearthed a new Linux backdoor, dubbed PamDOORa, which is being marketed on the Rehub Russian cybercrime forum by an individual known as “darkworm.” Initially priced at $1,600, the backdoor’s cost was later reduced to $900. Designed as a Pluggable Authentication Module (PAM)-based tool, PamDOORa ensures persistent SSH access by utilizing a specific password and TCP port combination. It also poses a threat by capturing credentials from any authenticated users on compromised systems.
PamDOORa’s Functionality and Risks
PamDOORa operates as a post-exploitation toolkit within the PAM framework, a critical security component in Unix/Linux systems. This framework allows system administrators to integrate diverse authentication methods. However, when maliciously modified, PAM modules can introduce backdoors and facilitate credential theft. According to Assaf Morag from Flare.io, PamDOORa persists on x86_64 Linux systems, making it a significant threat.
The backdoor is notable for its ability to harvest credentials and tamper with authentication logs, effectively hiding traces of illicit activities. This makes it a sophisticated tool compared to other PAM-based backdoors, which often lack such advanced capabilities.
Exploiting PAM’s Vulnerabilities
Although PAM offers robust security features, its modular nature can be exploited. Group-IB has previously highlighted the risks associated with PAM, particularly when modules operate with root privileges. Malicious modifications can grant unauthorized access or control over systems, especially via modules like pam_exec, which can execute external commands.
The PamDOORa backdoor takes advantage of these vulnerabilities by manipulating PAM configurations to execute scripts, thereby securing a persistent and stealthy presence on target systems.
Potential Threats and Market Response
Despite its capabilities, there is currently no evidence of PamDOORa being deployed in actual cyber attacks. However, the potential threat it poses cannot be overlooked. Infection chains involving PamDOORa may require initial root access, after which the PAM module can be deployed to capture credentials and establish ongoing SSH access.
The decision by “darkworm” to reduce the asking price of PamDOORa suggests either a lack of demand or a strategic move to increase sales velocity. This backdoor’s integration of debug-resistant features and network-aware triggers positions it as a formidable tool for cybercriminals seeking more than just basic exploits.
In conclusion, PamDOORa exemplifies the ongoing evolution of cyber threats targeting Linux systems. As cybersecurity landscapes continue to shift, staying informed about such developments is crucial for maintaining robust defenses and ensuring system security.
