PamDOORa Backdoor Threatens Linux by Stealing SSH Credentials

PamDOORa Backdoor Threatens Linux by Stealing SSH Credentials

Posted on By CWS

A newly identified backdoor, known as PamDOORa, poses an escalating threat to Linux systems by stealthily capturing SSH credentials. This dangerous malware exploits a critical component of the operating system, raising significant concerns among cybersecurity experts.

Emergence and Market Activity

PamDOORa first appeared on a Russian-speaking cybercrime forum called Rehub, where it was initially offered for sale at $1,600. The price was later reduced to $900, which sparked curiosity among researchers. This price drop may indicate a lack of buyer interest or a strategic decision to sell quickly.

The malware operates by infiltrating the Pluggable Authentication Module (PAM) framework, a crucial part of Linux systems responsible for managing login processes and identity verification. Unlike traditional malware, PamDOORa does not run as a visible process but integrates into the authentication layer, making it difficult to detect.

Technical Insights and Methodology

Researchers at Group-IB discovered that PamDOORa exploits the pam_exec module, a standard PAM component, to execute external commands during authentication. This method is not yet part of the MITRE ATT&CK framework, suggesting that many security teams may not be prepared to counter it.

The malware’s creator, operating under the alias “darkworm,” has demonstrated advanced knowledge of Linux systems. Code analysis indicates that the techniques used are consistent with known PAM exploitation methods, making the threat credible and sophisticated.

Operational Tactics and Concealment

PamDOORa is particularly concerning due to its ability to erase traces of unauthorized access by modifying authentication logs. It manipulates files such as lastlog, btmp, utmp, and wtmp, thereby obscuring any evidence of breach from incident responders.

Designed as a post-exploitation tool, PamDOORa requires root access to be installed. It injects a malicious PAM module, pam_linux.so, into the authentication stack, blending with legitimate system files to avoid detection. It ensures persistent SSH access using a specific TCP port and a secret “magic password.”

Detection Challenges and Security Recommendations

PamDOORa’s anti-forensic capabilities further complicate detection, as it actively removes attacker login traces from system logs. To mitigate the risk, security teams should assume that any compromised Linux server has exposed credentials.

Experts recommend enabling SELinux and AppArmor for enhanced process isolation, employing Auditd with DISA-STIG rules for monitoring system changes, and using tools like rkhunter to detect unauthorized software. Disabling root SSH login and restricting sudo access are crucial steps in minimizing PamDOORa’s attack potential.

Security teams must stay vigilant and consider these protective measures to safeguard against this emerging threat, ensuring robust defenses against similar future attacks.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Detecting and Remediating Misconfigurations in Cloud Environments Detecting and Remediating Misconfigurations in Cloud Environments Cyber Security News
EDR-Freeze Tool Technical Workings Along With Forensic Artifacts Revealed EDR-Freeze Tool Technical Workings Along With Forensic Artifacts Revealed Cyber Security News
Booking.com Data Breach Exposes Customer Details Booking.com Data Breach Exposes Customer Details Cyber Security News
Crunchyroll User Data Breach Exposes 100 GB of Information Crunchyroll User Data Breach Exposes 100 GB of Information Cyber Security News
Researchers Breakdown DragonForce Ransomware Along with Decryptor for ESXi and Windows Systems Researchers Breakdown DragonForce Ransomware Along with Decryptor for ESXi and Windows Systems Cyber Security News
Cloudflare Global Outage Breaks Internet Cloudflare Global Outage Breaks Internet Cyber Security News