Key Takeaways
- PamDOORa is a newly discovered Linux backdoor that steals SSH credentials by hijacking the Pluggable Authentication Module (PAM) framework.
- The malware was advertised on the Russian‑speaking cybercrime forum Rehub for $1,600, later reduced to $900, signalling low demand or a rush to sell.
- It abuses the legitimate pam_exec module to run a malicious script during authentication, a technique not yet catalogued in MITRE ATT&CK.
- Once installed with root privileges, PamDOORa injects a rogue PAM shared object (pam_linux.so) that blends with system files, providing persistent SSH access via a secret “magic password” and a specific TCP port.
- Captured credentials are XOR‑encrypted, written to /tmp under random names, and exfiltrated; the tool also erases login traces from lastlog, btmp, utmp, and wtmp to hinder forensic analysis.
- Detection is difficult because the attack occurs inside the authentication layer, bypassing typical process‑level monitoring and application logs.
- Recommended mitigations include enabling SELinux/AppArmor, deploying Auditd with DISA‑STIG rules, using rkhunter, disabling root SSH login, and restricting sudo access.
- Indicators of Compromise (IoCs) involve the file names pam_linux.so and tn.sh, the /tmp directory for stolen data, network port 1234, modifications to /etc/pam.d/sshd, and abuse of pam_exec.so.
Emergence of PamDOORa as a Linux Threat
A new backdoor dubbed PamDOORa has surfaced, posing a serious and growing danger to Linux environments. Unlike conventional malware that creates noticeable processes, PamDOORa infiltrates the core authentication mechanism of the operating system—specifically the Pluggable Authentication Module (PAM) framework—to silently harvest SSH credentials. By operating at this low level, the threat evades many standard monitoring tools that focus on higher‑level activities, making it especially stealthy and difficult to detect once deployed.
Advertisement and Pricing on the Rehub Forum
The malware was first offered for sale on a Russian‑speaking cybercrime forum known as Rehub. The complete source code was initially listed at $1,600, but the seller quickly reduced the price to $900. This abrupt discount raised alarms among security researchers, who interpreted it as either a sign of limited buyer interest or a deliberate attempt to offload the tool rapidly. The pricing movement suggests the actor may be eager to monetize the exploit before defenses catch up.
Mechanism of Action: Hijacking the PAM Framework
PamDOORa’s core functionality lies in its ability to hijack the PAM subsystem, which Linux uses to verify user identities during login events. Rather than planting a visible binary, the backdoor injects a malicious PAM module directly into the authentication stack. This positioning allows it to intercept login attempts before they are processed by legitimate modules, thereby capturing credentials at the earliest possible stage and remaining invisible to casual inspection.
Abuse of pam_exec and Novelty in MITRE ATT&CK
Researchers from Group‑IB identified that PamDOORa exploits pam_exec, a legitimate PAM module designed to execute external commands during authentication events. By manipulating pam_exec, the malware runs a hostile script each time an SSH login occurs. Notably, this specific abuse of pam_exec has not yet been incorporated into the MITRE ATT&CK framework, meaning many organizations may lack dedicated detection rules or hunting queries for this technique, increasing the risk of successful compromise.
Threat Actor Profile: “darkworm”
The individual behind PamDOORa operates under the alias “darkworm” on the Rehub forum. Analysis of code snippets shared in the advertisement reveals a deep understanding of Linux internals and PAM mechanisms, indicating a technically proficient actor. Compared to other users who recycle the same handle on lower‑tier forums, darkworm demonstrates a higher level of expertise and seriousness, suggesting the malware is not a hastily assembled proof‑of‑concept but a purpose‑built tool for real‑world attacks.
Anti‑Forensic Capabilities and Credential Theft
What distinguishes PamDOORa from simpler backdoors is its built‑in anti‑forensic functionality. The malware actively sanitizes authentication logs—including lastlog, btmp, utmp, and wtmp—removing any trace of the attacker’s successful logins and leaving behind only failed attempts that investigators are likely to dismiss as noise. Simultaneously, credentials submitted by legitimate users are intercepted within the PAM layer, encrypted with a runtime‑generated XOR key, and written to /tmp under randomly generated filenames and timestamps. This dual approach not only steals secrets but also obscures the attacker’s footprint, complicating incident response.
Post‑Exploitation Nature and Persistence Mechanism
PamDOORa is designed as a post‑exploitation tool, requiring the attacker to already possess root access before deployment. Once installed, it places a malicious PAM shared object named pam_linux.so alongside authentic system modules, allowing it to blend in and avoid detection through file‑replacement heuristics. Persistence is achieved via a combination of a specific TCP port (observed as 1234) and a secret “magic password” known only to the attacker. A hidden routine continuously scans open connections, applies conditional logic to identify the attacker’s login, and grants silent SSH access while presenting normal users with an unchanged experience.
Credential Interception, Encryption, and Exfiltration
During each authentication attempt, PamDOORa captures the supplied username and password, encrypts them using XOR with a key generated at runtime, and stores the result in the /tmp directory under a randomized name. The encrypted blobs are later exfiltrated via a netcat (nc) listener bound to the designated port, enabling the attacker to harvest credentials without triggering typical data‑loss‑prevention alerts. Because the encryption and file writing occur inside the PAM stack, standard audit tools that monitor user‑space processes or file accesses often miss these operations.
Detection Challenges and Defensive Recommendations
Since the attack unfolds within the authentication layer, conventional monitoring that focuses on process execution or network traffic may fail to notice PamDOORa’s activity. Security teams should treat any compromised Linux server as having potentially exposed all credentials, regardless of the apparent scope of the breach. Mitigation strategies include enforcing SELinux and AppArmor for robust process isolation, configuring Auditd with DISA‑STIG‑recommended rules to watch for unauthorized modifications to PAM configuration files and shared objects, and deploying rootkit scanners such as rkhunter. Additionally, disabling direct root login over SSH, locking the root account, and restricting sudo privileges to only authorized users reduce the attack surface that PamDOORa depends on.
Indicators of Compromise (IoCs)
Based on the disclosed source material, the following IoCs can be used to hunt for PamDOORa infections:
- File Name: pam_linux.so – the malicious PAM shared object injected into the authentication stack.
- File Name: tn.sh – the script executed via pam_exec during SSH authentication attempts.
- Directory: /tmp – location where stolen credential files are written with random names and timestamps.
- Network Port: 1234 – the remote port used by netcat (nc) to exfiltrate encrypted credential data.
- PAM Config Path: /etc/pam.d/sshd – the SSH PAM configuration file altered to load the malicious module.
- PAM Module: pam_exec.so – the legitimate module abused to silently execute the hostile script.
Note: IP addresses and domains referenced in original sources have been defanged (e.g., [.]) to prevent accidental resolution; they should be re‑fangled only within controlled threat‑intelligence platforms such as MISP, VirusTotal, or a SIEM.
Conclusion
PamDOORa exemplifies how adversaries are increasingly targeting low‑level operating system components to achieve stealthy credential harvesting. Its exploitation of the PAM framework, combined with anti‑forensic log wiping and encrypted credential exfiltration, renders it a formidable threat that can evade many conventional defenses. Organizations must adopt a defense‑in‑depth approach—hardening authentication mechanisms, enforcing strict access controls, and employing comprehensive logging and monitoring—to detect and mitigate such sophisticated Linux‑focused malware. Early identification of the outlined IoCs, coupled with proactive system hardening, remains essential to safeguarding against this emerging danger.