Auto-color: New Linux backdoor malware targeting the US and Asia. Learn about its advanced evasion, persistence, and detection methods.
A newly discovered Linux malware, dubbed Auto-color, is targeting educational institutions and government entities in North America and Asia, employing advanced stealth techniques to avoid detection and removal.
Researchers at Palo Alto Networks Unit 42 identified this malware. Their investigation reveals that this malware was active between November and December 2024. Auto-color distinguishes itself by using innocuous file names, such as common words like “door” or “egg,” to disguise its initial executable.
“Although the file sizes are always the same, the hashes are different. This is because the malware author statically compiled the encrypted C2 configuration payload into each malware sample,” Unit 42’s blog post, authored by Alex Armstrong, revealed.
Upon execution, it checks its file name and, if it doesn’t match a designated name, initiates an installation phase. This phase involves embedding a malicious library implant, mimicking a legitimate system library, within the system. The malware’s behaviour varies depending on whether the user has root privileges. If root access is available, it installs a library designed to override core system functions.
A key aspect of Auto-color’s stealth is its manipulation of the Linux system’s ld.preload file. This allows the malware to ensure its malicious library is loaded before other system libraries, enabling it to intercept and modify system functions. This technique grants the malware significant control over the system’s behaviour, including the ability to hide its network activity.
Auto-color employs sophisticated methods to conceal its network connections. It hooks into functions within the C standard library, allowing it to filter and manipulate the system’s network connection information. By altering the contents of the /proc/net/tcp file, it effectively hides its communication with command-and-control servers, making it difficult for security analysts to detect. This manipulation is more advanced than similar techniques used by previously discovered malware, researchers observed.
The malware uses a proprietary encryption mechanism to connect to remote servers, retrieving target server details from a dynamically generated configuration file or an embedded encrypted payload. It uses a custom stream cipher for secure communication with the attackers’ infrastructure.
“A stream cipher is an encryption scheme in which the key interacts with each byte of the ciphertext,” the blog post read.
Once established, the malware exchanges encrypted messages with the server, enabling the execution of commands on the compromised system.
Auto-color discovery highlights the growing sophistication of Linux-based malware as it can manipulate core system processes and its advanced evasion techniques pose a significant threat to targeted sectors. Organizations should strengthen their security measures, including stringent privilege controls, behavioural threat detection, and continuous monitoring of Linux systems, to mitigate the risk of infection.