- Nextron Systems has found a malicious authentication module
- They named him scourge after finding references of pop culture
- Malware is capable of wreaking havoc on high value targets
Security researchers have found a piece of highly capable Linux malware that has somehow piloted the radar for a year.
Nextron Systems reported to find Plague, an malicious malicious authentication module that grants attackers attackers and secret access to compromise systems.
“The rear door of the plague represents a sophisticated and scalable threat to Linux infrastructure, exploiting the basic authentication mechanisms to maintain stealth and persistence,” explained the researchers. “Its use of advanced obscure, static references and environmental falsification makes detection particularly difficult by using conventional methods.”
Manual inspection
The malware was appointed Plague after finding a reference to Mr. Plague, a character from the 1995 film Piratesin his code.
The researchers said that several samples had been downloaded from Virustotal in the past year, but none have been reported as malicious, which could indicate that the stolen door has managed to escape a public examination and the detection of antivirus.
The plague is deeply integrated into the authentication battery, survives the system updates and leaves a minimum of forensic traces, the experts explained.
It uses evolving obscure techniques, including XOR, KSA / PRGA routines and the DRBG layer. It also has anti-debugging controls and session stealth mechanisms that erase all traces of activity. The compiler metadata has also shown that it is in active development.
For cybercriminals, there are several advantages for malware inside PAM systems.
According to a Cyberinsider Report, the plague can steal connection identification information, which makes it particularly dangerous on high -value Linux systems such as bastion hosts, jump servers and cloud infrastructure.
“A bastion host or a compromised jump server can provide attackers with a foot to move laterally through internal systems, increase privileges or exfiltrate sensitive data,” says the publication.
In addition, a compromise cloud environment could grant attackers access to several virtual machines or services at the same time.
Given that Plague is still not reported by the best antivirus tools, Nextron advises administrators to manually inspect their devices, including the audit of the repertoire / Lib / security for the ladle PAM modules, to monitor PAM configuration files in /etc/pam.d/ for modifications and to search for suspect connections in authentication newspapers.
Via The register
