A recently discovered threat targeting Linux systems has been identified as Auto-Color, a stealthy backdoor that provides persistent access to targeted systems, particularly universities and government institutions.
Auto-Color Linux Malware Launches Active Campaigns
Researchers at Palo Alto Networks Unit 42 have uncovered a new Linux malware called Auto-Color, which is actively conducting malicious campaigns. Users are advised to be cautious of this sneaky malware that is targeting Linux systems globally.
Auto-Color is a powerful backdoor that infiltrates target systems discreetly, allowing for persistent access by attackers.
The malware is named Auto-Color due to its ability to rename itself after installation using innocuous file names such as “door” or “egg.” It employs evasive tactics to conceal its command and control (C&C) connections, communications, and configurations, as well as encryption algorithms. The researchers have noted similarities between Auto-Color and the previously known Symbiote malware, both of which hide their C&C connections.
Upon successful installation, the malware establishes persistence, granting attackers full remote access to target systems. To avoid detection, the malware installs a malicious library implant (libcext.so.2) on the system if the user account has root access.
If the user account lacks root privileges, the malware skips the library installation, providing attackers with temporary access. The installation of this library enables the malware to mimic the legitimate C utility library libcext.so.0, aiding in stealth persistence by executing before other system libraries.
After a successful attack, the malware receives commands from the C&C, which can include opening a reverse shell, executing commands, modifying files, altering configurations, or acting as a proxy to redirect system traffic. The backdoor also features a “kill-switch” functionality to erase all traces of infection from the target system to evade detection.
For a detailed technical analysis of this malware, the researchers have shared a post on their website.
Stay Vigilant, Linux Users
The Auto-Color malware was first discovered by the Unit 42 team in November 2024. Analysis of the malware samples revealed its targeting of universities and government offices in Asia and North America. However, the researchers have not pinpointed the exact method(s) through which the malware infects target devices.
Nevertheless, the researchers have provided indicators of compromise (IoCs) in their report for users to scan their systems accordingly.
Share your thoughts in the comments section.
