Universities and authorities organizations in North America and Asia have been focused by a beforehand undocumented Linux malware known as Auto-Coloration between November and December 2024, in response to new findings from Palo Alto Networks Unit 42.
“As soon as put in, Auto-color permits menace actors full distant entry to compromised machines, making it very troublesome to take away with out specialised software program,” safety researcher Alex Armstrong stated in a technical write-up of the malware.
Auto-color is so named based mostly on the file identify the preliminary payload renames itself submit set up. It is at present not recognized the way it reaches its targets, however what’s recognized is that it requires the sufferer to explicitly run it on their Linux machine.
A notable side of the malware is the arsenal of tips it employs to evade detection. This contains utilizing seemingly-innocuous file names like door or egg, concealing command-and-control (C2) connections, and leveraging proprietary encryption algorithms for masking communication and configuration info.
As soon as launched with root privileges, it proceeds to put in a malicious library implant named “libcext.so.2,” copies and renames itself to /var/log/cross/auto-color, and makes modifications to “/and so forth/ld.preload” for establishing persistence on the host.
“If the present consumer lacks root privileges, the malware won’t proceed with the set up of the evasive library implant on the system,” Armstrong stated. “It is going to proceed to do as a lot as potential in its later phases with out this library.”
The library implant is provided to passively hook capabilities utilized in libc to intercept the open() system name, which it makes use of to cover C2 communications by modifying “/proc/internet/tcp,” a file that accommodates info on all energetic community connections. An identical approach was adopted by one other Linux malware known as Symbiote.
It additionally prevents uninstallation of the malware by defending the “/and so forth/ld.preload” towards additional modification or elimination.
Auto-color then proceeds to contact a C2 server, granting the operator the flexibility to spawn a reverse shell, collect system info, create or modify information, run packages, use the machine as a proxy for communication between a distant IP tackle and a selected goal IP tackle, and even uninstall itself via a kill change.
“Upon execution, the malware makes an attempt to obtain distant directions from a command server that may create reverse shell backdoors on the sufferer’s system,” Armstrong stated. “The menace actors individually compile and encrypt every command server IP utilizing a proprietary algorithm.”
