PamDOORa Backdoor Steals SSH Credentials via Linux PAM Modules

Executive Summary

A new Linux backdoor called PamDOORa is being sold on the Russian-language cybercrime forum Rehub for $1,600 by a threat actor using the handle "darkworm." According to researchers at the cybersecurity firm who disclosed the findings, PamDOORa operates as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that intercepts SSH authentication to steal credentials. The backdoor grants persistent remote access through a hardcoded "magic password" combined with a specific TCP port, bypassing normal authentication. The malware is designed to evade detection by blending into the PAM stack, a critical component of Linux authentication.

Technical Analysis

PamDOORa is implemented as a malicious PAM module that hooks into the standard Linux authentication flow. When a user attempts to authenticate via SSH, the backdoor captures the plaintext credentials before passing them to the legitimate PAM stack for verification. The stolen credentials are logged to a hidden file accessible only to the attacker.

The backdoor also provides a backdoor access mechanism: if an SSH connection attempt uses the magic password and connects from a specific source port, PamDOORa grants immediate root-level access without validating against the system's password database. This dual functionality — credential theft and persistent unauthorized access — makes it particularly dangerous for compromised Linux servers.

Researchers noted that PamDOORa is sold as a complete package, including a builder tool that allows the buyer to customize the magic password, the trigger port, and the credential log location. The malware is compiled as a shared object library (.so file) that must be loaded into the PAM configuration, typically by modifying /etc/pam.d/ files. The threat actor claims the backdoor works on major Linux distributions including Ubuntu, Debian, CentOS, and RHEL.

Attribution to the Rehub forum and the seller "darkworm" is based on forum listings analyzed by the researchers. The seller's identity and operational security posture remain unconfirmed. The malware's code quality and feature set suggest a moderately skilled developer, though no ties to known APT groups have been established.

Tactics, Techniques & Procedures

PamDOORa employs a credential access technique (T1649) by intercepting authentication data at the PAM layer, which is a trusted system component. For persistence (T1547), it relies on the PAM configuration being modified to load the malicious module at boot time. The backdoor also uses defense evasion (T1014) by operating as a rootkit-like component within the authentication stack, making it difficult to detect with standard file-system scanners. The magic password mechanism is a variant of a hardcoded credential backdoor (T1556.001).

Mitigations & Recommendations

Defenders should monitor for unauthorized modifications to PAM configuration files, particularly in /etc/pam.d/ directories. File integrity monitoring (FIM) tools can alert on changes to pam.conf or individual service files. Any unexpected .so files in /lib/security/ or /usr/lib/security/ should be investigated. Additionally, enabling SSH key-based authentication and disabling password-based SSH access reduces the attack surface for credential theft. Organizations should also audit SSH login attempts for unusual source ports or repeated authentication failures that may indicate magic password probing. Regular scanning for unknown PAM modules using tools like pam_tally2 or authconfig can help detect unauthorized modifications.