Auto-Color, a sophisticated Linux backdoor, has been observed targeting government organizations and academic institutions across North America and Asia.
The malware was first detected between November and December 2024 and is specifically engineered to evade detection while maintaining persistence on compromised systems.
Disguised as a benign color-enhancement utility, Auto-Color leverages common filenames like “door”, “egg”, and “log” to mask its presence, coupling this with advanced technical measures to thwart analysis and detection.
Advanced Evasion and Persistence Techniques
Auto-Color utilizes a variety of techniques to avoid detection and ensure its persistence.
It dynamically resolves APIs at runtime using libc and dlsym, which bypasses static analysis by avoiding direct references to system calls.
Upon installation, the malware encrypts its strings and employs an XOR-based obfuscation mechanism to hinder reverse engineering efforts.
Additionally, Auto-Color creates a directory under /var/log/cross and renames its binary to appear as a legitimate system file, blending into the host environment.
When executed with root privileges, Auto-Color drops a malicious shared library, libcext.so.2, that hooks critical libc functions, such as file access controllers (chmod, rename, etc.), to shield its operations.
According to the Report, this includes protecting the Linux dynamic linker configuration file, /etc/ld.so.preload, which it exploits to ensure its library loads before legitimate system libraries.
It also modifies its environment to daemonize itself, running stealthily in the background without a controlling terminal.
By employing a file-locking mechanism and self-cleanup capabilities, Auto-Color ensures that only one instance runs, and previous traces are erased.
The malware further hooks system calls to hide its presence from monitoring tools such as netstat by manipulating /proc/net/tcp entries, ensuring that network activities linked to its Command-and-Control (C2) servers remain invisible.
Command-and-Control (C2) Functionality
Central to Auto-Color’s operations is its encrypted communication with remote C2 servers.
The malware extracts C2 details including protocol, hostname/IP, and port from an embedded and encrypted configuration file, dynamically decrypting this data before establishing a non-blocking TCP socket connection.
To authenticate the C2 server, Auto-Color employs a challenge-response mechanism using generated pseudo-random values.
Messages exchanged between the malware and the server are encrypted with a custom algorithm to maintain confidentiality.
Once connected, the malware receives commands to gather system information, modify files, create reverse shells, or utilize the infected machine as a proxy for further attacks.
Auto-Color is designed with extensive capabilities, including creating directories, scanning file metadata, sending or receiving files, and executing self-destruction routines to erase its presence.
Security researchers have analyzed Auto-Color’s code to uncover its operational mechanisms and encryption techniques.
By implementing tools like Python scripts, analysts can automate the extraction of encrypted configurations and network-related data.
One notable pattern leverages a combination of bitwise operations, arithmetic transformations, and seed-based key generation to decrypt data, underscoring its resilience against static forensic analysis.
Developers have shared YARA rules to detect the malware by identifying specific characteristics, including its ELF header, file paths, and function names.
However, as of the latest analysis, only 15 security vendors have flagged the sample as malicious, indicating its low detection rate.
The sophistication of Auto-Color highlights a growing trend in the utilization of advanced techniques by threat actors to target critical sectors with low detection probabilities.
Its ability to adapt dynamically based on privilege levels, hide its tracks effectively, and maintain control over compromised systems suggests alignment with well-funded and highly skilled threat actors.
Enhanced monitoring of system processes, kernel-level hooks, and robust endpoint detection mechanisms are critical in mitigating threats posed by malware of this caliber.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
