Understanding the ‘Plague’ Pluggable Authentication Module (PAM*) backdoor in Linux systems
‘Plague’ represents a newly identified Linux backdoor that has quietly evaded detection by traditional antivirus solutions for over a year. Its primary mechanism involves operating as a malicious PAM, allowing attackers to silently bypass system authentication and establish persistent SSH access to compromised Linux systems.
*Note: While PAM is commonly associated with privileged access management in our world, in this context, PAM refers to Pluggable Authentication Module—a Linux framework for managing authentication. Despite sharing the same acronym, these are distinct technologies with very different functions.
What is PAM in Linux authentication?
Linux PAM is a powerful framework that enables system administrators to manage authentication policies with flexibility and centralized control. As a middleware layer, PAM sits between user-facing applications—such as login, sshd, or sudo—and the underlying authentication mechanisms like passwords, biometrics, or smart cards.
Its modular architecture allows administrators to update or customize authentication workflows without modifying the application code, making it a versatile tool for securing Linux systems.
Why PAM is an attractive target
While beneficial for system administration, PAM’s flexible and modular design makes it an exceptionally appealing target for adversaries. PAM modules are loaded into privileged authentication processes, granting a malicious module direct, unfettered access to sensitive user credentials. This mechanism enables the malware to bypass authentication checks—even with invalid credentials—and remain largely undetected due to its deep integration at a foundational level. Previous malware families like Orbit, Azazel rootkit, and Skidmap have successfully exploited PAM APIs for credential logging and remote access.
How the Plague’s malware exploits PAM in Linux
The following points summarize how Plague typically operates once deployed as a PAM module:
- Plague’s initial infection vector remains unknown. However, during deployment, the malware drops a binary that is configured to run as a PAM module for sshd.
- This module provides an SSH backdoor, enabling threat actors to log in to the infected machine while bypassing standard authentication mechanisms.
- Because it operates within the core of Linux authentication, the malware can persist through application updates and security patches.
Reducing exposure to the Plague PAM backdoor
Plague is deployed as a PAM module, requiring elevated installation privileges. If the malware is introduced through a privileged process—such as a misused binary or script—endpoint privilege management (EPM) can help block the installation by removing unnecessary admin rights.
Another important control is PSM for SSH, which helps manage privileged access to critical systems and enables robust monitoring and auditing. These capabilities are especially relevant when defending against advanced threats like Plague.
How privilege misuse enables PAM backdoor attacks
Plague exploits the core of Linux authentication by embedding itself as a PAM module. Its silent persistence and ability to bypass SSH login make it a formidable threat. Mitigating such risks starts with removing unnecessary privileges before they’re abused.
CyberArk Labs is a team of white hat hackers, intelligence experts, and security leaders advancing threat research to strengthen global cyber defense.