A newly identified Linux backdoor, named 'Auto-Color,' has been detected in cyberattacks targeting universities and government entities in North America and Asia between November and December 2024. This sophisticated malware, uncovered by researchers at Palo Alto Networks' Unit 42, is highly elusive and challenging to eradicate, enabling persistent access to compromised systems.

Characteristics of the Auto-Color Malware

The Auto-Color malware shares some traits with the Symbiote Linux malware family, first reported by BlackBerry in 2022, yet remains distinct in its operations. The initial infection method remains unknown, but the attack is initiated by executing files with innocuous names such as "door," "egg," and "log."

Technical Details and Persistence Mechanisms

When executed with root privileges, Auto-Color installs a malicious library implant, libcext.so.2, masquerading as the legitimate libcext.so.0 library. It then copies itself to the /var/log/cross/auto-color directory and modifies the /etc/ld.preload file to ensure the implant loads before any other system library. Without root access, the malware still operates but omits these persistence mechanisms, though it can still provide remote access for attackers to potentially gain root privileges through other means.

Auto-Color's Command-and-Control Features

Auto-Color uses a custom encryption algorithm to decrypt command-and-control (C2) server information, validating exchanges via a random 16-byte handshake. This encryption obscures C2 server addresses, configuration data, and network traffic, with dynamic key changes for each request to hinder detection.

  • Reverse Shell: Allows operators full remote access.
  • Command Execution: Executes arbitrary commands on the system.
  • File Manipulation: Modifies or creates files to expand the infection.
  • Proxy Functionality: Forwards attacker traffic.
  • Dynamic Configuration: Modifies its settings dynamically.

Rootkit Capabilities and Evasion Techniques

Auto-Color possesses rootkit-like features, such as hooking libc functions to intercept system calls, which it uses to conceal C2 connections by altering the /proc/net/tcp file. Additionally, it includes a "kill switch" that allows attackers to swiftly erase infection traces from compromised systems, complicating forensic investigations.

Defense Strategies Against Auto-Color

Due to its stealthy, modular design and remote control capabilities, Auto-Color poses a significant threat to Linux systems, especially those in government and academic settings. Unit 42 advises monitoring changes to /etc/ld.preload, checking /proc/net/tcp for anomalies, and employing behavior-based threat detection solutions. They also recommend reviewing system logs and network traffic for connections to known C2 IPs, as listed in their report.

The link has been copied!