Security researchers at Palo Alto Networks have identified a new Linux malware, dubbed “Auto-Color,” which poses a significant threat to system security by granting attackers full remote access to compromised devices.
The malware, active since November 2024, employs advanced evasion tactics, including encryption and concealment of network activity, making it particularly difficult to detect and remove.
Installation and Obfuscation Strategies
Auto-Color begins its operation by disguising itself under benign file names like “door” or “egg.”
Once executed, it checks if the file name matches “Auto-color” to proceed with its installation phase.
If the user has root privileges, the malware installs a malicious library implant named libcext.so.2, mimicking legitimate system libraries to avoid detection.
It then modifies critical system files, such as /etc/ld.preload, to ensure its library is loaded before others, enabling it to intercept and manipulate core system functions.
For users without root access, the malware operates in a limited capacity but still executes its payload.
In both cases, the original executable is deleted post-installation to minimize traces.
Advanced Evasion and Persistence
The malicious library implant embedded in Auto-Color plays a central role in its evasion strategy.
It hooks into standard Linux functions like open() to manipulate system files such as /proc/net/tcp, effectively hiding network connections between the infected device and its command-and-control (C2) servers.
This ensures that even forensic analysis of network activity may fail to detect anomalies.
Additionally, the malware employs a proprietary encryption algorithm for its C2 communications.
This custom stream cipher encrypts configuration data and payloads dynamically, making it challenging for security tools relying on signature-based detection methods.
Once installed, Auto-Color connects to remote servers controlled by threat actors, initiating a handshake protocol before entering its main operational loop.
The malware supports a range of functionalities via an API structure, including:
- Establishing reverse shells for direct control over infected machines.
- Acting as a network proxy for attacker-controlled traffic.
- Manipulating files and executing programs locally.
- Modifying global configuration data dynamically.
The malware’s ability to create persistent backdoors and intercept network activity makes it particularly dangerous for targeted sectors such as universities and government offices in North America and Asia.
Palo Alto Networks recommends using advanced security solutions like Cortex XDR and Advanced WildFire to detect and block behaviors associated with Auto-Color.
Indicators of compromise (IoCs), such as specific file hashes and malicious IP addresses linked to the malware’s C2 infrastructure, have been shared with cybersecurity partners for broader protection.
Organizations are advised to monitor their systems for unusual activity, especially modifications to /etc/ld.preload or concealed network connections.
Immediate incident response measures should be taken if compromise is suspected.
Auto-Color represents an evolving threat in the Linux ecosystem, emphasizing the need for robust security practices and proactive monitoring against sophisticated malware campaigns.
