New Auto-Color Malware Attacking Linux Devices to Gain Full Remote Access

Researchers at Palo Alto Networks have identified a new Linux malware, dubbed “Auto-Color,” that has emerged as a significant threat due to its advanced evasion techniques and ability to grant attackers full remote access to compromised systems.

Discovered between November and December 2024, the malware targets Linux-based systems, primarily those in universities and government offices across North America and Asia.

The malware operates covertly by employing several sophisticated methods to avoid detection.

It disguises itself with benign file names such as “door” or “egg” during installation and utilizes a malicious library implant, libcext.so.2, that mimics legitimate system files.

Installation Process and Root Privilege Exploitation

Upon execution, Auto-Color checks whether its executable file name matches “Auto-color.”

If not, it renames itself and begins installing an evasive library implant.

The installation process is contingent on the user having root privileges.

Without root access, the malware operates in a limited capacity but still poses a threat through its later stages.

With root access, however, it installs the libcext.so.2 library in the system’s base directory and modifies critical files like /etc/ld.preload to ensure persistence.

This modification allows the malware to load its malicious library before any other system libraries, enabling it to override core functions.

Advanced Obfuscation Techniques

Auto-Color employs proprietary encryption algorithms to hide its configuration data and communication with command-and-control (C2) servers.

It uses a custom stream cipher for encrypting payloads, making it difficult for traditional security tools to detect or analyze its behavior.

Furthermore, the malware hooks into standard libc functions such as open() to manipulate system files like /proc/net/tcp, effectively hiding network activity from users and administrators.

The malware’s ability to conceal its C2 connections is reminiscent of techniques used by the Symbiote malware family but is more advanced in its implementation.

For instance, Auto-Color parses network data in real-time and removes traces of specific IP addresses or ports associated with its operations, ensuring that these activities remain invisible even under scrutiny.

Once installed, Auto-Color provides attackers with full remote access capabilities, including:

• Establishing reverse shell connections for direct interaction with infected systems
• Acting as a network proxy for further attacks
• Manipulating files and executing programs locally
• Sending and modifying global configuration data

The malware communicates with C2 servers using a custom protocol that encrypts all messages with dynamically generated keys.

Each command sent by the server triggers specific actions on the infected machine, ranging from gathering system information to uninstalling itself if necessary.

Indicators of compromise include malicious executables with names like “log,” “edu,” or “door,” all sharing identical file sizes (229,160 bytes) but differing hashes due to embedded encrypted payloads. A

dditionally, suspicious modifications to /etc/ld.preload or unexpected network activity involving specific IP addresses may signal an infection.

Palo Alto Networks recommends using advanced security solutions such as Cortex XDR and Advanced WildFire to detect and block behaviors associated with Auto-Color.

Organizations are advised to monitor their systems for IoCs and implement robust endpoint protection measures.

If compromised, immediate action should be taken by consulting incident response teams like Unit 42 for containment and remediation efforts.

Auto-Color represents a growing trend of increasingly sophisticated Linux malware targeting critical sectors, underscoring the need for proactive threat detection and response strategies in cybersecurity operations.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here