Monday, May 5, 2025
Homecyber securityNew Auto-Color Malware Attacking Linux Devices to Gain Full Remote Access

New Auto-Color Malware Attacking Linux Devices to Gain Full Remote Access

Published on

SIEM as a Service

Follow Us on Google News

Researchers at Palo Alto Networks have identified a new Linux malware, dubbed “Auto-Color,” that has emerged as a significant threat due to its advanced evasion techniques and ability to grant attackers full remote access to compromised systems.

Discovered between November and December 2024, the malware targets Linux-based systems, primarily those in universities and government offices across North America and Asia.

The malware operates covertly by employing several sophisticated methods to avoid detection.

- Advertisement - Google News

It disguises itself with benign file names such as “door” or “egg” during installation and utilizes a malicious library implant, libcext.so.2, that mimics legitimate system files.

Auto-Color Malware
Flow diagram of Auto-color.

Installation Process and Root Privilege Exploitation

Upon execution, Auto-Color checks whether its executable file name matches “Auto-color.”

If not, it renames itself and begins installing an evasive library implant.

The installation process is contingent on the user having root privileges.

Auto-Color Malware
Initial installation of Auto-color.

Without root access, the malware operates in a limited capacity but still poses a threat through its later stages.

With root access, however, it installs the libcext.so.2 library in the system’s base directory and modifies critical files like /etc/ld.preload to ensure persistence.

This modification allows the malware to load its malicious library before any other system libraries, enabling it to override core functions.

Advanced Obfuscation Techniques

Auto-Color employs proprietary encryption algorithms to hide its configuration data and communication with command-and-control (C2) servers.

It uses a custom stream cipher for encrypting payloads, making it difficult for traditional security tools to detect or analyze its behavior.

Furthermore, the malware hooks into standard libc functions such as open() to manipulate system files like /proc/net/tcp, effectively hiding network activity from users and administrators.

The malware’s ability to conceal its C2 connections is reminiscent of techniques used by the Symbiote malware family but is more advanced in its implementation.

For instance, Auto-Color parses network data in real-time and removes traces of specific IP addresses or ports associated with its operations, ensuring that these activities remain invisible even under scrutiny.

Once installed, Auto-Color provides attackers with full remote access capabilities, including:

  • Establishing reverse shell connections for direct interaction with infected systems
  • Acting as a network proxy for further attacks
  • Manipulating files and executing programs locally
  • Sending and modifying global configuration data

The malware communicates with C2 servers using a custom protocol that encrypts all messages with dynamically generated keys.

Each command sent by the server triggers specific actions on the infected machine, ranging from gathering system information to uninstalling itself if necessary.

Indicators of compromise include malicious executables with names like “log,” “edu,” or “door,” all sharing identical file sizes (229,160 bytes) but differing hashes due to embedded encrypted payloads. A

dditionally, suspicious modifications to /etc/ld.preload or unexpected network activity involving specific IP addresses may signal an infection.

Palo Alto Networks recommends using advanced security solutions such as Cortex XDR and Advanced WildFire to detect and block behaviors associated with Auto-Color.

Organizations are advised to monitor their systems for IoCs and implement robust endpoint protection measures.

If compromised, immediate action should be taken by consulting incident response teams like Unit 42 for containment and remediation efforts.

Auto-Color represents a growing trend of increasingly sophisticated Linux malware targeting critical sectors, underscoring the need for proactive threat detection and response strategies in cybersecurity operations.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...