Auto-color: New Linux backdoor malware concentrating on the US and Asia. Study its superior evasion, persistence, and detection strategies.
A newly found Linux malware, dubbed Auto-color, is concentrating on instructional establishments and authorities entities in North America and Asia, using superior stealth methods to keep away from detection and elimination.
Researchers at Palo Alto Networks Unit 42 recognized this malware. Their investigation reveals that this malware was energetic between November and December 2024. Auto-color distinguishes itself by utilizing innocuous file names, reminiscent of widespread phrases like “door” or “egg,” to disguise its preliminary executable.
“Though the file sizes are all the time the identical, the hashes are totally different. It’s because the malware writer statically compiled the encrypted C2 configuration payload into every malware pattern,” Unit 42’s blog post, authored by Alex Armstrong, revealed.
Upon execution, it checks its file identify and, if it doesn’t match a delegated identify, initiates an set up part. This part includes embedding a malicious library implant, mimicking a reputable system library, throughout the system. The malware’s behaviour varies relying on whether or not the person has root privileges. If root entry is accessible, it installs a library designed to override core system features.
A key side of Auto-color’s stealth is its manipulation of the Linux system’s ld.preload file. This permits the malware to make sure its malicious library is loaded earlier than different system libraries, enabling it to intercept and modify system features. This method grants the malware vital management over the system’s behaviour, together with the flexibility to cover its community exercise.
Auto-color employs refined strategies to hide its community connections. It hooks into features throughout the C normal library, permitting it to filter and manipulate the system’s community connection data. By altering the contents of the /proc/internet/tcp file, it successfully hides its communication with command-and-control servers, making it tough for safety analysts to detect. This manipulation is extra superior than comparable methods utilized by beforehand found malware, researchers noticed.
The malware makes use of a proprietary encryption mechanism to hook up with distant servers, retrieving goal server particulars from a dynamically generated configuration file or an embedded encrypted payload. It makes use of a customized stream cipher for safe communication with the attackers’ infrastructure.
“A stream cipher is an encryption scheme by which the important thing interacts with every byte of the ciphertext,” the weblog put up learn.
As soon as established, the malware exchanges encrypted messages with the server, enabling the execution of instructions on the compromised system.
Auto-color discovery highlights the rising sophistication of Linux-based malware as it might probably manipulate core system processes and its superior evasion methods pose a major risk to focused sectors. Organizations ought to strengthen their safety measures, together with stringent privilege controls, behavioural risk detection, and steady monitoring of Linux programs, to mitigate the chance of an infection.
