-
A new Linux backdoor called PamDOORa uses PAM modules to steal SSH credentials.
-
It’s listed for sale on a Russian cybercrime forum, and the price recently dropped to $900.
-
PamDOORa offers attackers persistent access, also steals credentials, and has some log-tampering features.
These days threat actors have found many clever methods of breaking into systems. They recently started exploiting a core security feature in Linux.
The tool is called PamDOORa. It targets how Linux handles user logins. And it could give attackers the keys to your servers.
New Attack Backdoor Dark Web Listing
Flare.io security researchers have unraveled a new threat called PamDOORa. A threat actor named “darkworm” advertises it on the Rehub Russian cybercrime forum.
The initial asking price was 1,600 US dollars on March 17, but by April 19, it had dropped to 900 US dollars. That is almost a 50 percent cut. The drop might mean few buyers showed interest. Or maybe darkworm just wants a quick sale.
So what does PamDOORa actually do? This toolkit comes into play after attackers get in, and it messes with Pluggable Authentication Modules, or PAM for short. PAM is a standard security framework in Unix and Linux systems.
System administrators love PAM. It lets them add different authentication methods easily. Normally, PAM lets you switch from passwords to biometrics without having to change your apps. Sounds handy, right? But that same flexibility opens the door for trouble.
PAM modules run with root privileges most of the time. A malicious module can therefore cause serious damage. This thing grabs credentials and can create backdoors for attackers. Group-IB’s researchers were the first to flag this issue. They noted PAM transmits passwords in plaintext. That makes credential theft even easier.
How the Attack Actually Works
PamDOORa operates in a specific way. It creates persistent SSH access using a magic password. The attacker also needs a specific TCP port combination. Once those two pieces match, the backdoor grants access.
But the tool does more than just let hackers in. It also steals credentials from real users. Anyone who logs into the compromised system loses their password. The malware captures it silently.
The attack chain likely starts with root access. The attacker first breaks into the host using some other method. Then they deploy the PamDOORa PAM module. From there, they capture more credentials and keep SSH access forever.
One clever feature involves the pam_exec module. This module normally runs external commands. Attackers can inject malicious scripts into PAM configuration files. That gives them a privileged shell. And it allows stealthy persistence.
Covering Tracks Like a Pro
PamDOORa also includes antiforensic abilities. It methodically tampers with authentication logs. The goal is simple: erase any trace of malicious activity.
This makes detection very hard. A backdoor could be in existence without system admins knowing. There’s no indication to find that malware is running; it hides itself, gathers passwords and gives access to attackers.
Luckily, there is no evidence to show the attack has hit anyone yet. Researchers have not seen PamDOORa in active use. But the potential for damage remains high.
The stealthy nature of backdoors is a growing concern across the software ecosystem. In a recent high-profile case, hackers managed to plant backdoors in over 30 WordPress plugins before being discovered, prompting an emergency security patch. That incident proved that backdoors can remain hidden in widely distributed software for extended periods. Learn more, hackers plant backdoor in 30+ WordPress plugins, prompting emergency security patch.
A Step Up From Basic Hacker Scripts
Flare.io researcher Assaf Morag explains why PamDOORa matters. It is not just another proof-of-concept script. The individual techniques like PAM hooks and credential capture are well-known. But putting them together changes everything.
PamDOORa is a cohesive, modular implant. It includes anti-debugging features and network-aware triggers. It even has a builder pipeline for customization. This places it closer to professional- grade tooling. Most public repositories only contain crude scripts.
This is the second Linux backdoor going after the PAM stack. The first one was called Plague. So PamDOORa represents an evolution. It improves on open source PAM backdoors that are already in existence.
The bottom line? Linux administrators need to watch their PAM configurations closely. A compromised module can hand over the entire system. And with tools like PamDOORa for sale, the barrier to entry keeps dropping.
