Universities and authorities organizations in North America and Asia have been focused by a beforehand undocumented Linux malware known as Auto-Colour between November and December 2024, in response to new findings from Palo Alto Networks Unit 42.
“As soon as put in, Auto-color permits risk actors full distant entry to compromised machines, making it very troublesome to take away with out specialised software program,” safety researcher Alex Armstrong mentioned in a technical write-up of the malware.
Auto-color is so named primarily based on the file title the preliminary payload renames itself put up set up. It is presently not recognized the way it reaches its targets, however what’s recognized is that it requires the sufferer to explicitly run it on their Linux machine.
A notable side of the malware is the arsenal of methods it employs to evade detection. This consists of utilizing seemingly-innocuous file names like door or egg, concealing command-and-control (C2) connections, and leveraging proprietary encryption algorithms for masking communication and configuration data.
As soon as launched with root privileges, it proceeds to put in a malicious library implant named “libcext.so.2,” copies and renames itself to /var/log/cross/auto-color, and makes modifications to “/and many others/ld.preload” for establishing persistence on the host.
“If the present consumer lacks root privileges, the malware is not going to proceed with the set up of the evasive library implant on the system,” Armstrong mentioned. “It can proceed to do as a lot as doable in its later phases with out this library.”
The library implant is provided to passively hook features utilized in libc to intercept the open() system name, which it makes use of to cover C2 communications by modifying “/proc/internet/tcp,” a file that incorporates data on all energetic community connections. An analogous method was adopted by one other Linux malware known as Symbiote.
It additionally prevents uninstallation of the malware by defending the “/and many others/ld.preload” towards additional modification or elimination.
Auto-color then proceeds to contact a C2 server, granting the operator the power to spawn a reverse shell, collect system data, create or modify information, run packages, use the machine as a proxy for communication between a distant IP tackle and a particular goal IP tackle, and even uninstall itself by the use of a kill swap.
“Upon execution, the malware makes an attempt to obtain distant directions from a command server that may create reverse shell backdoors on the sufferer’s system,” Armstrong mentioned. “The risk actors individually compile and encrypt every command server IP utilizing a proprietary algorithm.”