Detecting Auto-color malware with Wazuh

MITRE Techniques

• [T1036.005] Masquerading: Match Legitimate Name or Location – Auto-color duplicates itself as /var/log/cross/auto-color to appear legitimate (“Auto-color duplicates itself as “/var/log/cross/auto-color””).
• [T1059] Command and Scripting Interpreter – Auto-color executes arbitrary commands and maintains a reverse shell (“It opens a reverse shell, executes arbitrary commands…”).
• [T1574.006] Hijack Execution Flow: LD_PRELOAD Hijacking – Auto-color modifies /etc/ld.preload to load malicious libraries persistently (“…modifies the /etc/ld.preload file to achieve persistence…”).
• [T1546.015] Event Triggered Execution: Unix Shell Configuration Modification – Uses /etc/ld.so.preload modifications to load malicious code (“…created file /etc/ld.so.preload to load a malicious library for persistence…”).
• [T1098] Account Manipulation – Persistence via modification of system files to maintain malware presence (“…modifies /etc/ld.preload for persistence…”).
• [T1071.001] Application Layer Protocol: Web Protocols – Uses encrypted C2 communication files named config-err-* (“…files like config-err-XXXXXXXX for encrypted C2 communication”).
• [T1008] Fallback Channels – Auto-color creates config files and uses dynamic IP resolution for communications (“…connects to IP addresses that are generated dynamically…”).
• [T1568] Dynamic Resolution – Dynamically generates IP addresses for command and control servers (“…IP addresses are generated dynamically…”).
• [T1562.001] Impair Defenses: Disable or Modify Tools – Hooks libc functions to hide activities and disable detection (“…includes rootkit-like features by hooking libc functions”).
• [T1070.004] Indicator Removal on Host: File Deletion – Deletes infection traces, including files and logs (“It deletes infection traces to impede investigations…”).
• [T1204.002] User Execution: Malicious File – Requires manual execution of the malware on the victim Linux system (“requires manual execution by the victim on a Linux endpoint”).