A sophisticated new backdoor dubbed PamDOORa has emerged as a high-priority threat to Linux environments. Unlike typical malware that operates in the user space, PamDOORa embeds itself into the Pluggable Authentication Module (PAM) framework—the very foundation of Linux identity verification.
The malware was first spotted on the Russian-language cybercrime forum Rehub, where a threat actor known as “darkworm” listed the source code for $1,600 before dropping the price to $900. This price cut suggests a rush to distribute the tool among the cybercrime underground.
The Mechanism: Hijacking the Authentication Layer
PamDOORa is a post-exploitation tool, meaning an attacker must already possess root privileges to install it. Once deployed, it doesn’t just sit on the disk; it integrates into the system’s login flow.
The Abuse of pam_exec:
Researchers from Group-IB discovered that PamDOORa specifically exploits the legitimate pam_exec.so module. This module is designed to run external scripts during login events. PamDOORa misuses this to trigger a malicious script (tn.sh) every time a user attempts to authenticate via SSH.
How it Stays Hidden:
- No Active Process: Because it runs as a module within the
sshdprocess, it doesn’t appear as a suspicious standalone program in tools liketoporps. - Shared Object Injection: It creates a file named
pam_linux.so, which blends in with legitimate system libraries in the/lib/security/directory.
The “Magic Password” and Log Manipulation
PamDOORa provides the attacker with two primary benefits: credential harvesting and stealthy persistence.
- Credential Theft: Every time a legitimate user logs in, their plaintext credentials are intercepted within the PAM stack. The malware XOR-encrypts this data and hides it in the
/tmp/directory using randomized filenames to evade detection. - Backdoor Access: The attacker can log in using a “magic password” and a specific TCP port (often 1234). The malware recognizes these specific triggers and grants a root shell without leaving a trace in standard logs.
- Anti-Forensics: PamDOORa is programmed to scrub system files like
utmp,wtmp, andlastlog. This effectively deletes the attacker’s session history, making it look as though they were never there.
Mitigation and Indicators of Compromise (IoCs)
Because PamDOORa operates at such a low level, standard antivirus often misses it. Security teams should look for unauthorized modifications to /etc/pam.d/sshd.
Key Indicators:
| Type | Indicator | Description |
| File Name | pam_linux.so | Malicious PAM module in the security stack |
| File Name | tn.sh | Script triggered during SSH authentication |
| Network Port | 1234 | Default port used for exfiltration/backdoor access |
| Directory | /tmp/ | Look for randomized, encrypted files created during login |
Defensive Recommendations:
- Enable Mandatory Access Control: Use SELinux or AppArmor to restrict what PAM modules are allowed to execute.
- Use Key-Based Auth: Disable password-based SSH authentication. If there is no password to type, there is no plaintext credential for PamDOORa to harvest.
- File Integrity Monitoring: Deploy tools like
auditdorAIDEto alert you the moment any file in/etc/pam.d/or/lib/security/is modified.
