New PamDOORa Linux Backdoor Steals SSH Credentials From Infected Systems
Key Takeaways A new Linux backdoor, PamDOORa, is actively being sold on Russian cybercrime forums. The malware targets the Pluggable Authentication Module (PAM) framework to stealthily steal SSH...
Key Takeaways
- A new Linux backdoor, PamDOORa, is actively being sold on Russian cybercrime forums.
- The malware targets the Pluggable Authentication Module (PAM) framework to stealthily steal SSH credentials.
- PamDOORa operates as a post-exploitation tool, requiring root access for deployment, and employs sophisticated anti-forensic techniques to evade detection and erase traces.
- Detection is challenging as the attack occurs at a low level, often missed by standard monitoring tools.
- Defenders must implement robust system hardening, enhanced logging, and advanced rootkit detection to mitigate risks.
Linux systems face a significant new threat from PamDOORa, a recently discovered backdoor designed to surreptitiously compromise Secure Shell (SSH) credentials. This sophisticated malware targets one of the operating system’s most fundamental and trusted components: the Pluggable Authentication Module (PAM) framework.
Table Of Content
PamDOORa initially appeared for sale on Rehub, a prominent Russian-speaking cybercrime forum. The complete source code was first advertised at $1,600, a price that quickly dropped to $900. This sudden reduction raised concerns among researchers, suggesting either a lack of demand or a deliberate effort by the seller to offload the tool rapidly. More details on the sale can be found in a Flare blog post.
How PamDOORa Operates on Linux Systems
PamDOORa’s effectiveness stems from its method of hijacking the Pluggable Authentication Module (PAM) framework, which is integral to Linux systems for handling user authentication and identity verification. Unlike typical malware that might appear as a running process, PamDOORa injects a malicious module directly into the authentication layer. Here, it remains dormant, waiting to harvest credentials during login attempts before they are recorded in standard logs. This low-level operation makes it particularly dangerous, as most conventional monitoring tools are not configured to scrutinize this deep within the system.
Researchers from Group-IB identified the specific technique employed by this backdoor, noting its exploitation of pam_exec. This is a legitimate PAM module designed to execute external commands during authentication events. The Group-IB DFIR team highlighted that this abuse method was not previously documented within the MITRE ATT&CK framework, indicating a novel technique that many security teams might not be prepared to defend against. Further insights into PAM exploitation can be found in a Group-IB blog post.
The threat actor behind PamDOORa, operating under the moniker “darkworm” on the Rehub forum, exhibits a deep understanding of Linux internals. Analysis of code snippets shared in the advertisement reveals credible and technically sound methods consistent with known PAM exploitation tactics. This suggests that “darkworm” is a more skilled and serious operator compared to others who might reuse the same alias on less reputable forums, as detailed in Flare’s analysis.
A key concern with PamDOORa is its exceptional stealth. The backdoor is designed to manipulate and erase authentication log files, including lastlog, btmp, utmp, and wtmp, effectively removing any evidence of an attacker’s presence on the server. This anti-forensic capability means that incident response teams investigating a breach could unknowingly have their own credentials compromised the moment they SSH into the infected machine.
PamDOORa functions as a post-exploitation tool, meaning an attacker must first gain root access to the system before deploying it. Once installed, it injects a malicious PAM module that creates a file named pam_linux.so. This file is then loaded into the authentication stack alongside legitimate system modules, allowing it to blend in seamlessly rather than replacing existing files, thereby complicating detection. This mechanism is further elaborated in Flare’s report.
The backdoor establishes persistent SSH access through a combination of a specific TCP port and a secret “magic password” known only to the attacker. A specialized routine monitors open connections, applying conditional logic to identify and grant silent access to the attacker, while legitimate users experience no unusual activity. User credentials submitted during normal logins are intercepted within the PAM stack, encrypted using XOR with a runtime-generated key, and then written to the /tmp directory using randomly generated filenames and timestamps. This process is also highlighted in Flare’s findings.
Anti-Forensics and the Challenge of Detection
PamDOORa’s advanced anti-forensic capabilities distinguish it from simpler backdoors. It actively purges attacker login records from system logs, often leaving behind only failed login attempts that investigators might dismiss as benign noise. Since credential theft occurs within the PAM layer, application-level logging tools are unable to capture the compromised data, and detection methods focused on user-space processes will completely overlook the attack. This makes comprehensive incident response exceptionally difficult, as noted in Flare’s analysis.
What You Should Do
- Treat any compromised Linux server as having fully exposed credentials, regardless of the apparent scope of the breach.
- Enable and configure security enhancements like SELinux and AppArmor to enforce stronger process isolation.
- Install and configure Auditd with DISA-STIG recommended rules to diligently monitor changes to critical system files and configurations.
- Deploy rkhunter or similar tools to detect rootkits and unauthorized software installations.
- Disable direct root login over SSH, lock the root account, and restrict
sudoaccess to only essential, authorized users to minimize the attack surface. - Review and harden PAM configurations, paying close attention to
/etc/pam.d/sshdfor any unauthorized modifications or inclusions of unknown modules. - Implement robust logging and centralized log management to quickly identify anomalies, even if local logs are tampered with.
Indicators of Compromise (IoCs)
Based on information disclosed, the following indicators were identified:
| Type | Indicator | Description |
|---|---|---|
| File Name | pam_linux.so | Malicious PAM shared object injected into the authentication stack |
| File Name | tn.sh | Script executed via pam_exec during SSH authentication attempts |
| Directory | /tmp/ | Location where captured credential files are written with dynamic names |
| Network Port | 1234 | Remote port used by netcat (nc) to exfiltrate stolen credential data |
| PAM Config Path | /etc/pam.d/sshd | SSH PAM configuration file modified to load the malicious module |
| PAM Module | pam_exec.so | Legitimate PAM module abused to execute the malicious script silently |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.