Linux Malware Auto-Color Targets Universities and Government Organizations
Article Body
According to recent findings by Palo Alto Networks Unit 42, a previously undocumented Linux malware known as Auto-Color has been targeting universities and government organizations in North America and Asia between November and December 2024.
A security researcher, Alex Armstrong, noted that “Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software,” in a technical write-up of the malware, which can be found here.
The name “Auto-color” is derived from the file name the initial payload renames itself to after installation. Although the exact method of how it reaches its targets is currently unknown, it is clear that the victim must explicitly run the malware on their Linux machine for it to take effect.
A notable aspect of Auto-color is its extensive arsenal of evasion techniques. These include using seemingly innocuous file names such as “door” or “egg,” concealing command-and-control (C2) connections, and leveraging proprietary encryption algorithms to mask communication and configuration information.
Upon launch with root privileges, the malware installs a malicious library implant named “libcext.so.2,” copies and renames itself to /var/log/cross/auto-color, and modifies “/etc/ld.preload” to establish persistence on the host.
Armstrong further explained, “If the current user lacks root privileges, the malware will not proceed with the installation of the evasive library implant on the system. It will, however, proceed to carry out as much of its operation as possible in its later phases without this library.”
The library implant is designed to passively hook functions used in libc to intercept the open() system call, which is then utilized to hide C2 communications by modifying “/proc/net/tcp,” a file containing information on all active network connections. This technique bears resemblance to that employed by another Linux malware known as Symbiote.
The malware also incorporates a mechanism to prevent its uninstallation by protecting the “/etc/ld.preload” file against further modification or removal.
Upon establishing communication with a C2 server, Auto-color grants the operator the capability to spawn a reverse shell, gather system information, create or modify files, run programs, utilize the machine as a proxy for communication between a remote IP address and a specific target IP address, and even facilitate its own uninstallation through a kill switch.
Armstrong stated, “Upon execution, the malware attempts to receive remote instructions from a command server that can create
Source Link
