New Linux Malware 'Auto-Color' Grants Hackers Full Remote Access to Compromised Systems
Summary:
Between November and December 2024, Palo Alto Networks researchers discovered a new Linux malware variant named Auto-color, which derives its name from the filename it renames itself to upon installation. This malware employs a range of evasion techniques, including using inconspicuous filenames, hiding remote command-and-control communications through advanced obfuscation similar to the Symbiote malware family, and implementing proprietary encryption to conceal its configuration and communication details. Once installed, Auto-color grants threat actors full remote access to compromised systems, making it particularly challenging to detect and remove without specialized forensic tools.
The malware primarily targets universities and government offices in North America and Asia, adapting its filename with each deployment to avoid detection. While its file size remains consistent, its hash values differ due to the static compilation of the encrypted C2 configuration payload within each sample. The exact method of infection remains unknown, but the malware requires victim execution on a Linux system. Upon launch, Auto-color checks whether its filename matches the expected Auto-color name; if not, it initiates an installation phase deploying an evasive library implant. If executed with root privileges, it installs a malicious library called libcext.so.2, which mimics the legitimate libcext.so.0 utility to bypass security mechanisms. It then modifies /etc/ld.preload, ensuring its malicious library is loaded before system libraries, allowing it to intercept and manipulate critical system functions.
A core component of Auto-color’s functionality is its ability to persist and evade detection. The malware hooks essential libc functions to modify /proc/net/tcp, hiding its network connections from monitoring tools. By intercepting system calls, it ensures that its C2 traffic is omitted from system logs, preventing security solutions from detecting its presence. Additionally, Auto-color prevents uninstallation by locking /etc/ld.preload, ensuring administrators cannot remove its malicious reference. These techniques make it highly resistant to traditional detection and removal methods.
Security Officer Comments:
The malware supports various remote commands, allowing attackers to execute a range of operations, including remote shell access, file manipulation, network proxy functionality, and global configuration adjustments. It can create and modify files, execute programs, and redirect network traffic through the infected machine. The malware also features a kill switch that allows attackers to uninstall it remotely if needed. Each command is encrypted with a unique, one-time key, further complicating analysis and detection.
Suggested Corrections:
Unit42 has published IOCs that can be used for detection purposes:
https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/
Link(s):
https://thehackernews.com/2025/02/new-linux-malware-auto-color-grants.html
Between November and December 2024, Palo Alto Networks researchers discovered a new Linux malware variant named Auto-color, which derives its name from the filename it renames itself to upon installation. This malware employs a range of evasion techniques, including using inconspicuous filenames, hiding remote command-and-control communications through advanced obfuscation similar to the Symbiote malware family, and implementing proprietary encryption to conceal its configuration and communication details. Once installed, Auto-color grants threat actors full remote access to compromised systems, making it particularly challenging to detect and remove without specialized forensic tools.
The malware primarily targets universities and government offices in North America and Asia, adapting its filename with each deployment to avoid detection. While its file size remains consistent, its hash values differ due to the static compilation of the encrypted C2 configuration payload within each sample. The exact method of infection remains unknown, but the malware requires victim execution on a Linux system. Upon launch, Auto-color checks whether its filename matches the expected Auto-color name; if not, it initiates an installation phase deploying an evasive library implant. If executed with root privileges, it installs a malicious library called libcext.so.2, which mimics the legitimate libcext.so.0 utility to bypass security mechanisms. It then modifies /etc/ld.preload, ensuring its malicious library is loaded before system libraries, allowing it to intercept and manipulate critical system functions.
A core component of Auto-color’s functionality is its ability to persist and evade detection. The malware hooks essential libc functions to modify /proc/net/tcp, hiding its network connections from monitoring tools. By intercepting system calls, it ensures that its C2 traffic is omitted from system logs, preventing security solutions from detecting its presence. Additionally, Auto-color prevents uninstallation by locking /etc/ld.preload, ensuring administrators cannot remove its malicious reference. These techniques make it highly resistant to traditional detection and removal methods.
Security Officer Comments:
The malware supports various remote commands, allowing attackers to execute a range of operations, including remote shell access, file manipulation, network proxy functionality, and global configuration adjustments. It can create and modify files, execute programs, and redirect network traffic through the infected machine. The malware also features a kill switch that allows attackers to uninstall it remotely if needed. Each command is encrypted with a unique, one-time key, further complicating analysis and detection.
Suggested Corrections:
Unit42 has published IOCs that can be used for detection purposes:
https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/
Link(s):
https://thehackernews.com/2025/02/new-linux-malware-auto-color-grants.html