PamDOORa Linux Backdoor Leverages PAM for Persistent SSH Access

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymalwareidentitytoolsthe-hacker-news
PamDOORa Linux Backdoor Leverages PAM for Persistent SSH Access

The Hacker News reports on a new Linux backdoor named PamDOORa, currently being peddled on the Russian cybercrime forum Rehub for $1,600 by a threat actor known as “darkworm.” This isn’t just another piece of malware; it’s a post-exploitation toolkit designed around Pluggable Authentication Modules (PAM).

PamDOORa’s core functionality revolves around establishing persistent SSH access. It achieves this by combining a “magic password” with a specific TCP port. This method allows attackers to maintain stealthy access even after initial compromise, bypassing standard authentication mechanisms by manipulating a critical system component.

For defenders, this is a clear signal to scrutinize PAM configurations and SSH access logs. Attackers are weaponizing legitimate system functionalities to maintain persistence. Relying solely on perimeter defenses is insufficient when internal components become the attack vector. This backdoor underscores the need for robust internal network monitoring and strict PAM module integrity checks.

What This Means For You

  • If your Linux systems are exposed or have been compromised, PamDOORa is a significant threat. This backdoor, leveraging PAM, could grant persistent SSH access with a 'magic password' that bypasses your standard authentication. You need to immediately audit your PAM configurations for unauthorized modifications and review SSH logs for unusual login patterns, especially on non-standard ports.

Related ATT&CK Techniques

T1078.001 Default Accounts Persistence T1547.001 Registry Run Keys / Startup Folder Persistence T1098.005 SSH Authorized Keys Persistence

Indicators of Compromise

IDTypeIndicator
PamDOORa-Backdoor Auth Bypass Linux systems with PamDOORa backdoor installed, allowing SSH access via magic password and specific TCP port
PamDOORa-Backdoor Information Disclosure Linux systems with PamDOORa backdoor installed, designed to steal SSH credentials
PamDOORa-Backdoor Persistence Linux systems utilizing PAM modules for post-exploitation persistence via PamDOORa

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor thehackernews.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on The Hacker News All breaches, IOCs & vendor exposure

Related coverage on The Hacker News

TCLBANKER Banking Trojan Targets 59 Financial Platforms via WhatsApp, Outlook Worms

The Hacker News reports on a newly identified Brazilian banking trojan, TCLBANKER, which is actively targeting 59 distinct banking, fintech, and cryptocurrency platforms. Elastic Security...

threat-intelvulnerabilitymalware
/SCW Vulnerability Desk /MEDIUM /⚑ 5 IOCs

Schumer Demands DHS AI Cyber Plan for State, Local Governments

Senate Minority Leader Chuck Schumer has pressed the Department of Homeland Security (DHS) for an urgent plan to coordinate with state, local, tribal, and territorial...

threat-intelpolicygovernmentvulnerabilitydata-breachai-securitytools
/SCW Vulnerability Desk /HIGH /⚑ 3 IOCs

NVIDIA GeForce NOW Data Breach Impacts Armenian Users

NVIDIA has confirmed a data breach affecting its GeForce NOW cloud gaming service. BleepingComputer reports that NVIDIA clarified the incident is limited to users in...

threat-inteldata-breachmalware
/SCW Research /HIGH /⚙ 3 Sigma