Universities and government organizations in North America and Asia have been targeted by a previously undocumented Linux malware called Auto-Color between November and December 2024, according to new findings from Palo Alto Networks Unit 42.
“Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software,” security researcher Alex Armstrong said in a technical write-up of the malware.
Auto-color is so named based on the file name the initial payload renames itself post installation. It’s currently not known how it reaches its targets, but what’s known is that it requires the victim to explicitly run it on their Linux machine.
A notable aspect of the malware is the arsenal of tricks it employs to evade detection. This includes using seemingly-innocuous file names like door or egg, concealing command-and-control (C2) connections, and leveraging proprietary encryption algorithms for masking communication and configuration information.
Once launched with root privileges, it proceeds to install a malicious library implant named “libcext.so.2,” copies and renames itself to /var/log/cross/auto-color, and makes modifications to “/etc/ld.preload” for establishing persistence on the host.
“If the current user lacks root privileges, the malware will not proceed with the installation of the evasive library implant on the system,” Armstrong said. “It will proceed to do as much as possible in its later phases without this library.”
The library implant is equipped to passively hook functions used in libc to intercept the open() system call, which it uses to hide C2 communications by modifying “/proc/net/tcp,” a file that contains information on all active network connections. A similar technique was adopted by another Linux malware called Symbiote.
It also prevents uninstallation of the malware by protecting the “/etc/ld.preload” against further modification or removal.
Auto-color then proceeds to contact a C2 server, granting the operator the ability to spawn a reverse shell, gather system information, create or modify files, run programs, use the machine as a proxy for communication between a remote IP address and a specific target IP address, and even uninstall itself by means of a kill switch.
“Upon execution, the malware attempts to receive remote instructions from a command server that can create reverse shell backdoors on the victim’s system,” Armstrong said. “The threat actors separately compile and encrypt each command server IP using a proprietary algorithm.”
