Detecting Malware Exploiting Linux PAM through AhnLab EDR

Pluggable Authentication Modules (PAM) is a modular framework that allows applications such as su, sudo, and sshd to perform security policy logic such as authentication without implementing it directly. Applications delegate authentication to the libpam library, which then loads and executes PAM modules according to the configuration information before aggregating the results.

For example, when a user logs into the OpenSSH server process (sshd), it calls functions such as pam_authenticate() in the libpam library. Then, the service module functions of the registered PAM modules are executed, with pam_sm_authenticate() being the main function. The pam_sm_authenticate() function is responsible for authentication, and the PAM module in charge of authentication includes information related to authentication in this function. However, if a registered PAM module is malware, the threat actor would implement malicious routines in the pam_sm_authenticate() function.

 

1. PAM Malware

Typically, malware implemented as a PAM module exfiltrates credentials by obtaining them when the pam_sm_authenticate() function is called. This type of malware was also covered in a report published by Nextron in May 2025. [1] The report focused on the malware itself, so the initial access method used by the threat actor is unknown. However, the threat actors who created the malware designed their PAM backdoors to exfiltrate credentials by obtaining them when users log in. The pam_sm_authenticate() function in each malware strain includes a routine to transmit the obtained credentials to a C&C server or write them to a specific path.

Figure 1. The pam_sm_authenticate() function writing credential information to the /tmp/sshlog file

Figure 2. Types of sending credential information to the C&C server

AhnLab EDR detects the event of registering the PAM module as a key behavior, helping administrators to be aware of it in advance.

 

Figure 3. EDR detection of PAM module registration behavior

 

2. PAM Hooking Malware (Plague)

Even if malware is not created and registered in the form of a PAM module, if the pam_authenticate() function is hooked, credentials can be stolen. In August 2025, a report on malware named Plague was published. [2] Plague is malware that uses the PRELOAD method to load itself into the memory of a process that is being executed, allowing it to be loaded into processes such as sshd.

The advantage of the PRELOAD method is that if the preloaded library provides a function with the same name when an application calls a specific function, the function in the preloaded library is called first. For example, when sshd calls the pam_authenticate() function, the pam_authenticate() function in Plague, which is loaded using the PRELOAD method, is called before the pam_authenticate() function in the libpam library.

When Plague is installed on an infected system, it includes a malicious routine in the pam_authenticate() function, which exploits this method. When a user logs in, their credentials are stored in a specific path such as “/var/log/.-utmpx”.

Figure 4. File where credential information is recorded

In addition, it also supports hard-coded passwords. In the following sample, the login process checks if the user has entered the password “changeme”, and if it matches, the login is successful. As a result, threat actors can log in using the password “changeme” regardless of the existing account’s password.

Figure 5. Hooking routine after the pam_authenticate() function

Additionally, Plague prevents shell history from being recorded when threat actors log in with the password “changeme.” It also hides specific files, including those that start with “.-” such as the file “.-utmpx” that contains credentials, the malicious file “ld.so.preload,” and “libselinux.so.8,” which is assumed to be the name of malware.

Figure 6. List of names of files that conceal threats

Since only the name of the malware, Plague, is known, it is not possible to determine how it was initially infiltrated or how the threat actor used it. However, considering the characteristics of Plague, it is likely that the malware was installed using the PRELOAD method. This means that the threat actor or the malware responsible for the installation can install Plague by setting the “LD_PRELOAD” environment variable or by writing the path name of Plague in a file in the “/etc/ld.so.preload” path.

AhnLab EDR detects the behavior of modifying the file in the PRELOAD method, which involves the “/etc/ld.so.preload” path, as a threat to help administrators be aware of this behavior in advance. Also, when a library is loaded through the PRELOAD method, the system detects this as a key behavior and registers the PAM module, allowing administrators to identify the cause and respond appropriately.

 

Figure 7. EDR detection of the /etc/ld.so.preload configuration behavior

 

Figure 8. EDR detection of the behavior of loading the library in PRELOAD mode

 

3. Conclusion

Cases have been disclosed where threat actors attack the authentication process via PAM to steal credentials or set a backdoor password. Malware developers create their malware in a form of a malicious PAM module or use a technique called PRELOAD to hook functions used in PAM authentication. Both methods can be exploited to steal credentials for user accounts on Linux servers, and they can also be used to enter a password specified by the threat actor to successfully log into all accounts and maintain persistence.

AhnLab EDR detects the threat and key behaviors of the PRELOAD method, which involves threat actors registering suspicious PAM malware or installing malware that attack PAM authentication. Through this, administrators can identify the cause and respond appropriately. Even after a system has been attacked, administrators can use the evidence left by the threat actors as breach incident investigation data.

AhnLab EDR Detection Name

• Plague Malware
  • Persistence/EDR.Preload.M10892 (2023.03.03.03)
  • Suspicious/DETECT.T1574.006.M10894 (2023.03.03.03)
• PAM Malware
  • Persistence/DETECT.PAM.M12915 (2025.08.07.03)

 

V3 Diagnosis

• Plague Malware
  • Backdoor/Linux.Plague (2025.08.04.00)
  • Backdoor/Linux.Plague.XE268 (2025.08.11.02)
• PAM Malware

  • Backdoor/Linux.PAM.13016 (2025.08.04.03)

  • Backdoor/Linux.PAM.15560 (2025.08.04.03)

  • Backdoor/Linux.PAM.7880 (2025.08.04.03)

  • Backdoor/Linux.PAM.12888 (2025.08.04.03)

  • Backdoor/Linux.PAM.15568 (2025.08.04.03)

  • Backdoor/Linux.PAM.SE335 (2025.08.11.02)

  • Backdoor/Linux.PAM.SE336 (2025.08.11.02)

  • Backdoor/Linux.PAM.SE337 (2025.08.11.02)

  • Backdoor/Linux.PAM.SE338 (2025.08.11.02)

MD5

1f08a739a5b271457925e9db1791ef56

2a8de6041c159c91802df65f8ec85d71

3cc658ca8747b136120a669183a5d549

646221b5b7a5304367603b99d1004e03

648dc7e6aa9c2438d50bc364cb1c3ba8

URL

http[:]//110[.]42[.]97[.]120[:]9696/api[.]php

http[:]//ssh[.]poolntp[.]com/api[.]php