In recent news, a new Linux backdoor malware named Auto-color has been discovered, with reports indicating that it is specifically targeting educational institutions and government entities in North America and Asia. The malware, which has garnered attention for its advanced evasion, persistence, and detection methods, was pinpointed by researchers at Palo Alto Networks Unit 42.
During their investigation, Unit 42 revealed that Auto-color was active between November and December of 2024. One of the distinct features of this malware is its use of innocent-sounding file names, such as “door” or “egg,” to mask its initial executable. Notably, the file sizes remain consistent across samples, but the hashes differ due to the malware author embedding the encrypted C2 configuration payload into each file.
Upon activation, Auto-color goes through a verification process to confirm its file name matches a designated one. If not, it proceeds to the installation phase, where it embeds a malicious library implant posing as a legitimate system library within the system. The behavior of the malware depends on whether the user has root privileges, with different actions taken based on the level of access.
One of the key aspects of Auto-color’s stealth capabilities is its manipulation of the Linux system’s ld.preload file. By loading its malicious library before other system libraries, the malware gains the ability to intercept and modify system functions, giving it control over the system’s behavior, including network activity concealment. Additionally, the malware uses advanced techniques to hide its network connections by altering the contents of the /proc/net/tcp file, making it challenging for security analysts to detect its communication with command-and-control servers.
Furthermore, Auto-color employs a proprietary encryption mechanism for connecting to remote servers, utilizing a custom stream cipher for secure communication with the attackers’ infrastructure. This encryption scheme interacts with each byte of the ciphertext, facilitating encrypted message exchanges between the malware and the server, allowing for the execution of commands on the compromised system.
The discovery of Auto-color underscores the increasing sophistication of Linux-based malware and the significant threat it poses to targeted sectors. It emphasizes the importance for organizations to enhance their security measures by implementing strict privilege controls, utilizing behavioral threat detection mechanisms, and continuously monitoring Linux systems to reduce the risk of infection.
As the cybersecurity landscape continues to evolve, staying vigilant and adopting proactive security measures is crucial to safeguarding critical infrastructure and sensitive data from emerging threats like Auto-color. Researchers and cybersecurity experts are closely monitoring developments in the field to bolster defenses against sophisticated malware attacks targeting Linux systems.