Auto-Color Linux Backdoor: TTPs and Internal Architecture Exposed

A newly identified Linux backdoor named “Auto-Color,” first observed between November and December 2024, has been targeting government organizations and universities across North America and Asia.

This malware, initially disguised as a benign color-enhancement tool, employs sophisticated tactics, techniques, and procedures (TTPs) to infiltrate systems and maintain persistent access.

Technical Analysis

Auto-Color employs several evasion techniques to avoid detection. It dynamically resolves APIs at runtime, making static detection more challenging.

According to the Report, the malware’s string encryption hides its functionality, complicating analysis.

Upon execution, it checks for root privileges to deploy its full suite of advanced tactics:

• String Encryption: Uses XOR operations to obfuscate its strings, making it difficult for analysts to understand its intentions at first glance.
• Installation: When installed, Auto-Color creates a directory at /var/log/cross, which it populates with system logs to blend in. It then copies itself into this folder under the name “auto-color,” setting permissions to 777 to ensure read, write, and execute access.
• Library Injection: It drops a shared library libcext.so.2, designed to mimic a legitimate system library, into the system’s library path. This library is used to hook critical functions, thereby intercepting and altering system calls related to file operations, permissions, and network activities.

Internal Architecture

The internal architecture of Auto-Color reveals a robust framework for maintaining persistence and stealth:

• Persistence: To ensure continuous operation, Auto-Color integrates with system daemons like cron, auditd, and acpid by forking itself into these processes, thus leveraging their persistence for its own.
• Network Activity Evasion: It hooks file access functions to manipulate /proc/net/tcp, filtering out its own C2 communications to hide from network monitoring tools.
• Command and Control (C2): Auto-Color uses encrypted TCP sockets to connect to its C2 server. It employs a handshake mechanism involving pseudo-random number generation for authentication, ensuring secure command execution.

Auto-Color can execute a suite of commands directed from its C2 server:

• System Information Collection: It can gather system details including IP addresses, total memory, and OS version, sending this back to the attacker.
• File and Directory Operations: Commands allow for reading, writing, deleting, renaming, and manipulating files or directories.
• Reverse Shell Creation: Upon command, it opens a reverse shell, providing attackers with interactive access to the compromised host.
• Proxy Functionality: The malware can act as a proxy, facilitating connections between the attacker and another target system.

The exposure of Auto-Color’s TTPs and internal architecture provides critical insights into its operations, potentially aiding in the development of effective countermeasures.

Security teams are urged to update their detection mechanisms and review their systems for signs of this backdoor, given its sophisticated means of evasion and persistence.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!