The emergence of "Plague," a sophisticated Linux backdoor, poses an unprecedented risk to enterprise security. This malware bypasses all leading antivirus solutions.
It secures enduring SSH access by subverting fundamental authentication protocols. Cybersecurity researchers at Nextron Systems uncovered this threat.
They noted its exploitation of Pluggable Authentication Modules (PAM) to maintain exceptional stealth and system-level persistence. Its complete invisibility to conventional security safeguards is a significant concern.
Evidence suggests its efficacy: over the last year, numerous variants were submitted to VirusTotal. Not a single antivirus engine identified any sample as malicious.
This resulted in a flawless 0/66 detection rate. This unparalleled ability to evade detection originates from its deep integration within Linux's core authentication infrastructure.
There, it functions as a seemingly legitimate PAM module, simultaneously undermining established security protocols. The malware capitalizes on PAM's modular design.
PAM is a system where authentication processes dynamically load shared libraries according to configuration files located in /etc/pam.d/. By embedding itself within this inherently trusted execution pathway, Plague acquires the capacity to intercept plaintext credentials and influence authentication outcomes.
Furthermore, Plague manipulates the HISTFILE environment variable, redirecting it to /dev/null. This action effectively halts the recording of shell command history.
It ensures that malicious activities leave no discernible footprint in bash history files. Such files are routinely scrutinized during incident response investigations.