PamDOORa Backdoor Threatens Linux by Stealing SSH Credentials

A newly identified backdoor, known as PamDOORa, poses an escalating threat to Linux systems by stealthily capturing SSH credentials. This dangerous malware exploits a critical component of the operating system, raising significant concerns among cybersecurity experts.

Emergence and Market Activity

PamDOORa first appeared on a Russian-speaking cybercrime forum called Rehub, where it was initially offered for sale at $1,600. The price was later reduced to $900, which sparked curiosity among researchers. This price drop may indicate a lack of buyer interest or a strategic decision to sell quickly.

The malware operates by infiltrating the Pluggable Authentication Module (PAM) framework, a crucial part of Linux systems responsible for managing login processes and identity verification. Unlike traditional malware, PamDOORa does not run as a visible process but integrates into the authentication layer, making it difficult to detect.

Technical Insights and Methodology

Researchers at Group-IB discovered that PamDOORa exploits the pam_exec module, a standard PAM component, to execute external commands during authentication. This method is not yet part of the MITRE ATT&CK framework, suggesting that many security teams may not be prepared to counter it.

The malware’s creator, operating under the alias “darkworm,” has demonstrated advanced knowledge of Linux systems. Code analysis indicates that the techniques used are consistent with known PAM exploitation methods, making the threat credible and sophisticated.

Operational Tactics and Concealment

PamDOORa is particularly concerning due to its ability to erase traces of unauthorized access by modifying authentication logs. It manipulates files such as lastlog, btmp, utmp, and wtmp, thereby obscuring any evidence of breach from incident responders.

Designed as a post-exploitation tool, PamDOORa requires root access to be installed. It injects a malicious PAM module, pam_linux.so, into the authentication stack, blending with legitimate system files to avoid detection. It ensures persistent SSH access using a specific TCP port and a secret “magic password.”

Detection Challenges and Security Recommendations

PamDOORa’s anti-forensic capabilities further complicate detection, as it actively removes attacker login traces from system logs. To mitigate the risk, security teams should assume that any compromised Linux server has exposed credentials.

Experts recommend enabling SELinux and AppArmor for enhanced process isolation, employing Auditd with DISA-STIG rules for monitoring system changes, and using tools like rkhunter to detect unauthorized software. Disabling root SSH login and restricting sudo access are crucial steps in minimizing PamDOORa’s attack potential.

Security teams must stay vigilant and consider these protective measures to safeguard against this emerging threat, ensuring robust defenses against similar future attacks.