New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called "darkworm."

The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. It's also capable of harvesting credentials from all legitimate users who authenticate through the compromised system.

"The tool, called PamDOORa, is a new PAM-based backdoor, designed to serve as a post-exploitation backdoor, enabling authentication to servers via OpenSSH," Flare.io researcher Assaf Morag said in a technical report. "Allegedly this would remain persistent on Linux systems (x86_64)."

PamDOORa is the second Linux backdoor after Plague to be discovered targeting the PAM stack over the past year. PAM is a security framework in Unix/Linux operating systems that grants system administrators the ability to incorporate multiple authentication mechanisms or update them (e.g., switching from passwords to biometrics) into an existing system through the use of pluggable modules without the need for rewriting existing applications.

New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

Other newsrooms on this story

Related reading

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Other newsrooms on this story

Related reading

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

'Dirty Frag' Linux flaw one-ups CopyFail with no patches and public root exploit

Dangerous New Linux Exploit Gives Attackers Root Access to Countless Computers

⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub…

Finance company stored their DB credentials in spreadsheet