How It Works
Security researchers have identified a sophisticated Linux backdoor, dubbed Pamdoora, that compromises the Pluggable Authentication Module (PAM) on targeted systems. By injecting itself into the PAM library, the malware intercepts and logs SSH login credentials in plain text as users attempt to authenticate. This approach allows the backdoor to operate at a low level, making it difficult for standard security tools to detect.
Once installed, Pamdoora provides attackers with persistent remote access. It can also exfiltrate the captured credentials to an external command-and-control server. The stealthy nature of the attack lies in its ability to blend in with legitimate system authentication processes, leaving few obvious traces for system administrators to find.
Impact and Scope
This backdoor poses a significant threat to Linux servers, particularly those used in enterprise environments where SSH is the primary method for remote administration. Organizations relying on SSH for secure access to critical infrastructure, cloud instances, or managed services are at risk of credential theft and subsequent lateral movement by attackers.
Researchers have not yet attributed Pamdoora to a specific threat actor or campaign. System administrators are urged to audit PAM configurations, monitor for unauthorized modifications to authentication libraries, and implement multi-factor authentication to reduce the risk of credential-based compromises. Regular integrity checks on system binaries and libraries can also help detect such low-level intrusions.
Source: The Hacker News
