From obfuscation to audit evasion: Plague’s stealth begins at compile time. Early versions used simple XOR-based string encoding, but later variants deployed multi-layer encryption, including custom KSA/PRGA routines and DRBG-based stages, to obfuscate decrypted payloads and strings.The use of advanced cryptographic routines, including algorithms like the Key Scheduling algorithm (KSA), the Pseudo-Random Generation algorithm (PRGA), and Deterministic Random Bit Generation (DRBG), guarantees a layered protection for evading both static signature scanning and sandbox-based analysis tools.Despite its long runtime, the attribution of Plague remains unknown. Authors of the malware, however, did drop some clues after the de-obfuscation routines. A sample named “hijack” made a reference to the movie “Hackers” in a message printed after “pam-authenticate.” “Uh. Mr. The Plague, sir? I think we have a hacker,” the message said.Nextron recommends adopting behavioral, memory-based, and PAM-focused forensic strategies. Additionally, security teams are advised to actively audit PAM configurations, monitor newly dropped .so files in /lib/security/, and track environment-level tampering or suspicious cleanup behaviors.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4033499/how-plague-infiltrated-linux-systems-without-leaving-a-trace.html
