Full Report
The new Linux malware named Auto-color uses advanced evasion tactics. Discovered by Unit 42, this article cover its installation, evasion features and more. The post Auto-Color: An Emerging and Evasive Linux Backdoor appeared first on Unit 42.
Analysis Summary
# Tool/Technique: Auto-color
## Overview
Auto-color is a newly discovered, evasive Linux backdoor malware that provides threat actors with full remote access to compromised machines. It employs several obfuscation and evasion techniques to avoid detection.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Linux
- Capabilities: Remote command and control (C2), configuration hiding, communication obfuscation, evasion of detection.
- First Seen: Early November 2024
## MITRE ATT&CK Mapping
*Note: Specific TTPs were not detailed in the context, so general mappings for a Linux backdoor are inferred.*
- [TA0011 - Command and Control]
- [T1071 - Application Layer Protocol]
- [TA0005 - Defense Evasion]
- [T1027 - Obfuscated Files or Information]
## Functionality
### Core Capabilities
- Establishes remote access/full remote control over compromised systems.
- Utilizes an initial payload that renames itself using a benign-looking file name post-installation (leading to the name "Auto-color").
### Advanced Features
- Hides remote Command and Control (C2) connections using an advanced technique similar to one used by the Symbiote malware family.
- Deploys proprietary encryption algorithms to obscure communication and configuration data.
- Uses mechanisms to avoid detection, including the use of benign file names.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: Initial payload renames itself post-installation (specific names not listed, but characterized as benign-looking).
- Registry Keys: [Not applicable to Linux exclusively, or not provided]
- Network Indicators: [C2 communication channels exist, but specific infrastructure is not detailed]
- Behavioral Indicators: Hiding C2 connections, proprietary encryption usage.
## Associated Threat Actors
- [Not explicitly named in the context, but associated with threats being actively researched.]
## Detection Methods
- Signature-based detection: [Implied, but specific rules not provided.]
- Behavioral detection: Detection relying on proprietary encryption usage or C2 communication patterns similar to Symbiote.
- YARA rules: [Not provided in the context]
- Product Support: Advanced WildFire machine-learning models, Advanced URL Filtering, Advanced DNS Security, Cortex XDR, and XSIAM offer protection.
## Mitigation Strategies
- Maintain robust endpoint detection and response solutions (e.g., Cortex XDR).
- Monitor for unusual network activity, especially obfuscated C2-like traffic.
- Utilize advanced cloud-delivered security services (e.g., Advanced WildFire).
## Related Tools/Techniques
- Symbiote malware family (for comparison regarding C2 hiding techniques).