New Linux PamDOORa Backdoor Uses PAM Modules for Persistence
A new Linux backdoor called PamDOORa is being sold on cybercrime forums, allowing persistent SSH access via a PAM-based exploit.
A new Linux backdoor named PamDOORa has been identified, currently being marketed on the Rehub Russian cybercrime forum for $1,600. The malware is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that provides persistent SSH access to compromised Linux systems [The Hacker News].
The backdoor allows an attacker to gain unauthorized access by using a "magic password" in combination with a specific TCP port. This technique effectively bypasses standard authentication mechanisms, granting the threat actor a stealthy and persistent foothold on the target server.
Security professionals are advised to monitor for unusual PAM module activity and unauthorized modifications to system authentication configurations. Implementing strong, multi-factor authentication and regularly auditing SSH access logs are critical steps in defending against this type of persistent threat.