A new threat to Linux systems is active in the wild, targeting universities and government institutions. Identified as Auto-Color, this Linux malware is precisely a stealthy backdoor providing persistent access to the target systems.
Auto-Color Linux Malware Runs Active Campaigns
Researchers from Palo Alto Networks Unit 42 discovered a new Linux malware named “Auto-Color,” actively running malicious campaigns. The researchers warn users to stay wary of this sneaky malware, which targets Linux systems worldwide.
Specifically, the malware, Auto-Color, is a potent backdoor that sneakily infiltrates the target systems and establishes persistent access.
The malware is so named because it can rename itself after installing it on a system. For this, it uses harmless file names, such as “door” or “egg.” Moreover, it applies evasive techniques to hide its C&C connections, communications, and configurations, alongside deploying encryption algorithms. The researchers observed Auto-Color bearing similarities with the previously known Symbiote malware, which also hid its C&C.
Following successful installation, the malware gains persistence, providing the attackers with full remote access to the target systems. To escape detection, the malware installs a malicious library implant (libcext.so.2) on the system if the system’s user account has root access.
However, in the case of user accounts without root privileges, the malware skips the library’s installation, providing the attackers with temporary access. Successful installation of this library lets the malware mimic the legitimate C utility library libcext.so.0, which further helps in establishing stealth persistence by executing before any other system library.
After a successful attack, the malware receives commands from the C&C, which may include opening a reverse shell, executing arbitrary commands, modifying/creating files, modifying its own configurations, or merely working as a proxy to redirect system traffic to the attackers. The backdoor also includes a “kill-switch” feature to remove all infection traces from the target system to avoid detection.
The researchers have shared a detailed technical analysis of this malware in their post.
Linux Users Must Stay Wary
The Unit 42 team first noticed the malware in November 2024. Analyzing the malware samples made them recognize its use for targeting universities and government offices in Asia and North America. However, despite all the analysis, the researchers could not specifically identify the route(s) through which the malware reaches the target devices.
Nonetheless, the researchers have shared the indicators of compromise (IoCs) in their report so that users can scan their systems accordingly.
Let us know your thoughts in the comments.