Full Report
A previously undocumented Linux backdoor dubbed 'Auto-Color' was observed in attacks between November and December 2024, targeting universities and government organizations in North America and Asia. [...]
Analysis Summary
# Threat Actor: Unknown (Associated with Auto-Color Backdoor)
## Attribution & Identity
The analysis focuses on a threat actor utilizing the **Auto-Color** Linux backdoor. No specific threat actor group attribution beyond the implied state-sponsored or sophisticated nature suggested by the targeting is provided.
## Activity Summary
The actor is actively deploying a new, sophisticated Linux backdoor named "Auto-Color." The primary observed activity involves targeting specific high-value North American entities, suggesting espionage or intelligence gathering objectives.
## Tactics, Techniques & Procedures
- **Persistence on Linux:** If root access is achieved, the actor installs a malicious library implant (`libcext.so.2`) disguised as a legitimate library (`libcext.so.0`) and modifies `/etc/ld.preload` to ensure pre-execution.
- **Installation Location:** Copies itself to `/var/log/cross/auto-color`.
- **C2 Communication Obfuscation:** Uses a custom encryption algorithm to decrypt C2 server info, validates C2 exchange via a random 16-byte handshake, and dynamically changes the encryption key for each connection.
- **Rootkit Capabilities:** Hooks libc functions to intercept system calls.
- **Evasion/Stealth:** Modifies the `/proc/net/tcp` file output to hide C2 connections.
- **Remote Control:** Supports opening reverse shells, executing arbitrary commands, file manipulation, and acting as a proxy.
- **Counter-Forensics:** Includes a built-in "kill switch" to rapidly delete infection traces.
## Targeting
- **Sectors:** Government and Universities/Academia.
- **Geography:** North America.
- **Victims:** Not explicitly named, but the target sectors are North American governments and universities.
## Tools & Infrastructure
- **Malware families used:** Auto-Color backdoor.
- **Infrastructure (C2, domains, IPs):** C2 server information is custom-encrypted and dynamically obfuscated. The article notes that IoCs, including specific C2 IPs, are available in the original deeper report (referred to by "Unit 42").
## Implications
The Auto-Color backdoor represents a serious threat due to its stealthy, modular design and robust remote control capabilities. The focus on government and academic institutions suggests ongoing espionage or long-term intelligence gathering operations by a highly capable adversary. The rootkit features complicate detection and eradication efforts.
## Mitigations
- Monitor and alert on unauthorized modifications to `/etc/ld.preload`.
- Inspect `/proc/net/tcp` output for anomalies, specifically looking for connections that should not be visible or expected.
- Employ behavior-based threat detection solutions capable of identifying suspicious library hooking or system call modification.
- Inspect system logs and network traffic for connections matching known C2 Indicators of Compromise (IoCs) listed in the full threat report.