According to new research from Palo Alto Networks Unit 42, universities and government agencies in North America and Asia are targeted by previously undocumented Linux malware, known as automatic color, from November to December 2024.
“Once installed, AutoColor allows threat actors to have full remote access to compromised machines, making it extremely difficult to remove without specialized software,” said security researcher Alex Armstrong. This is mentioned in a technical article about malware.
Auto-Color is named based on the file name, and the first payload changes post-installation changes. Currently, I don’t know how to reach the target, but what is known is that the victim must explicitly do it on a Linux machine.
A notable aspect of malware is the trick weapon used to avoid detection. This includes using seemingly ambiguous file names such as doors and eggs, hiding command and control (C2) connections, and utilizing proprietary encryption algorithms to mask communication and configuration information.
When released with root privileges, it installs a malicious library implant named “libcext.so.2”. “To establish host persistence.
“If the current user does not have root privileges, the malware will not proceed with the installation of the evasion library implants on the system,” Armstrong said. “Without this library, you’ll be doing as much as possible in the next stage.”
Library implants are passively equipped with hook functionality used in LIBC and are used to intercept Open() system calls. This hides C2 communication by modifying “/Proc/Net/TCP” which contains information about all active network connections. A similar technique was adopted by another Linux malware called Symbiote.
It also prevents malware uninstallation by protecting “/etc/ld.preload” against further changes or deletion.
Auto-Color then contacts the C2 server, generates a reverse shell for the operator, collects system information, creates or modify files, runs programs, and proxy communications between remote IP addresses and specific communications grants the ability to use the machine as You can also target an IP address and uninstall itself using the kill switch.
“At runtime, the malware attempts to receive remote instructions from a command server that can create a reverse shell backdoor on the victim’s system,” Armstrong said. “Threat actors use their own algorithms to individually compile and encrypt each command server IP.”
Source link
