Auto-color is a newly discovered Linux malware that employs multiple evasion techniques to avoid detection, providing threat actors with full remote access to compromised machines. It is particularly targeted towards universities and government offices in North America and Asia, making detection and removal challenging. Affected: Linux systems, universities, government offices
Keypoints :
- Discovery of the Linux malware named Auto-color by Palo Alto Networks between November and December 2024.
- The malware utilizes benign file names and advanced techniques to conceal its command and control connections.
- Auto-color installs malicious library implants for persistent access and to evade detection.
- The malware has been specifically targeting universities and government offices in North America and Asia.
- Various methods are used for file and payload encryption to hinder analysis.
MITRE Techniques :
- T1071.001 β Application Layer Protocol: The malware communicates over HTTPS to hide its network activities.
- T1083 β File and Directory Discovery: It checks file names during installation to confirm execution.
- T1059.001 β Command and Scripting Interpreter: Auto-color creates reverse shells for command execution.
- T1037 β Boot or Logon Autostart Execution: The malware modifies /etc/ld.preload to maintain persistence.
- T1543.003 β Create or Modify System Process: The library hooks libc functions to control execution flow.
Indicator of Compromise :
- [SHA256 Hash] 270fc72074c697ba5921f7b61a6128b968ca6ccbf8906645e796cfc3072d4c43
- [SHA256 Hash] 65a84f6a9b4ccddcdae812ab8783938e3f4c12cfba670131b1a80395710c6fb4
- [SHA256 Hash] 83d50fcf97b0c1ec3de25b11684ca8db6f159c212f7ff50c92083ec5fbd3a633
- [SHA256 Hash] a1b09720edcab4d396a53ec568fe6f4ab2851ad00c954255bf1a0c04a9d53d0a
- [SHA256 Hash] bace40f886aac1bab03bf26f2f463ac418616bacc956ed97045b7c3072f02d6b
Full Story: https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/