A previously undocumented Linux backdoor, dubbed ‘Auto-Color’ by Palo Alto Networks' Unit 42 researchers, was discovered in attacks targeting universities and government organizations across North America and Asia.
Auto-Color can maintain access over extended periods. It is also highly evasive, making detection challenging for traditional security mechanisms.
While the malware shares some characteristics with the Symbiote Linux malware family (first documented by BlackBerry in 2022), the researchers note that the infection process and behavior are not identical.
It’s not clear how Auto-Color initially infiltrates systems. However, the researchers believe that the attack begins with the execution of a file disguised with benign names, such as "door," "egg," and "log."
If the malware gains root privileges, it installs a malicious library implant (libcext.so.2), which is designed to look like a legitimate system library, libcext.so.0. The malware also copies itself to the directory /var/log/cross/auto-color and modifies the /etc/ld.preload file, ensuring that the implant is executed before other system libraries.
If root access is unavailable, the malware will still execute but will not have the same persistent mechanisms. Although it may not maintain long-term access in such cases, it still provides the attackers with remote access, with the possibility of gaining root privileges later.
Auto-Color utilizes custom encryption to obscure its command-and-control (C2) communications. This includes encrypting the C2 server addresses, configuration data, and network traffic. The encryption key is dynamically changed with each request.
Once a connection with the C2 server is established, the attackers can issue various commands to Auto-Color, including opening a reverse shell for full remote access, executing arbitrary commands on the compromised system, modifying or creating files to expand the infection, acting as a proxy, forwarding attacker traffic, dynamically modifying its configuration.
Auto-Color works like a rootkit and has an ability to intercept system calls by hooking libc functions. This allows the malware to hide C2 connections by modifying the /proc/net/tcp file, thereby making it harder for security tools to detect its activity.
The malware also includes a kill switch mechanism that allows attackers to immediately remove traces of the infection from compromised machines.
