Plague Linux Malware Evades Detection for Over a Year, Hijacks SSH Authentication

Security researchers at Nextron Systems have exposed a highly sophisticated Linux malware dubbed Plague, which operated undetected for over a year by exploiting core authentication mechanisms. The malware functions as a malicious Pluggable Authentication Module (PAM), enabling attackers to maintain persistent SSH access while systematically erasing evidence of their presence on infected systems.

Stealth Through Obfuscation and Environment Tampering

Plague employs multiple evasion techniques that render traditional security tools ineffective:
- Layered obfuscation to conceal malicious strings and logic
- Anti-debugging capabilities to thwart reverse engineering
- Hardcoded credentials for covert SSH access
- Runtime environment sanitization that unsets SSH-related variables (SSH_CONNECTION, SSH_CLIENT)
- Command history redirection to /dev/null to prevent session logging

"Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces," explained Pierre-Henri Pezier, threat researcher at Nextron Systems. "Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools."

Forensic Ghost in the Machine

The malware's most dangerous capability lies in its systematic destruction of audit trails. By scrubbing environment variables and suppressing command logging, Plague eliminates metadata that would normally reveal attacker activity during interactive sessions. This allows threat actors to operate invisibly while maintaining persistent access—even through system updates.

Undetected in the Wild

Analysis of compilation artifacts indicates active development across multiple GCC versions and Linux distributions. Despite numerous samples being uploaded to VirusTotal over the past year, zero antivirus engines flagged them as malicious—highlighting critical gaps in conventional detection methods.

This discovery follows Nextron's earlier findings of PAM-targeting malware in May, signaling a dangerous trend where attackers increasingly exploit Linux's authentication infrastructure. As enterprise and cloud environments rely heavily on Linux systems, Plague represents an escalating threat to foundational security controls.

The Authentication Layer Blind Spot

The emergence of Plague underscores systemic vulnerabilities in how security tools monitor authentication subsystems. By operating at the PAM layer—a trusted component of the Linux authentication stack—the malware bypasses traditional perimeter defenses. Security teams must now prioritize:
1. Behavioral analysis of PAM modules
2. Integrity monitoring for critical authentication files
3. Enhanced auditing of SSH session metadata
4. Memory forensics beyond disk-based scanning

As threat actors weaponize infrastructure-level trust, the security community faces a pivotal challenge: rethinking detection paradigms to catch what traditional tools miss.

Source: Sergiu Gatlan, BleepingComputer (https://www.bleepingcomputer.com/news/security/new-plague-malware-backdoors-linux-devices-removes-ssh-session-traces/)