Full Report
Universities and government organizations in North America and Asia have been targeted by a previously undocumented Linux malware called Auto-Color between November and December 2024, according to new findings from Palo Alto Networks Unit 42. "Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized
Analysis Summary
# Tool/Technique: Auto-Color Malware
## Overview
Auto-Color is a previously undocumented Linux malware discovered targeting universities and government organizations in North America and Asia. Its primary function is to establish full remote access for threat actors on compromised systems, making it significantly difficult to remove manually.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Linux
- Capabilities: Full remote access, persistence via library implantation, C2 obfuscation, process function hooking.
- First Seen: November - December 2024
## MITRE ATT&CK Mapping
*(Note: Specific official mappings were not provided in the text, but standard mappings based on described functionality are inferred.)*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0003 - Persistence
- T1546 - Event Triggered Execution
- T1546.009 - LD_PRELOAD
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1564.003 - Hide Artifacts: Network Hiding (Modifying /proc/net/tcp)
## Functionality
### Core Capabilities
- Establishing persistence by copying itself to `/var/log/cross/auto-color` and modifying `/etc/ld.preload`.
- Contacting a Command and Control (C2) server to receive remote instructions.
- Granting operators the ability to spawn reverse shells.
- Executing system commands, gathering system information, and creating/modifying files.
### Advanced Features
- **Evasion:** Uses seemingly innocuous file names (e.g., `door`, `egg`) during initial stages.
- **Library Implantation:** Installs a malicious library named `libcext.so.2` (requires root privileges).
- **Network Hiding:** The library hooks functions in `libc`, specifically intercepting the `open()` system call, to modify `/proc/net/tcp` and hide C2 communications.
- **Encryption:** Leverages proprietary encryption algorithms to mask communication and configuration information.
- **Persistence Protection:** Protects `/etc/ld.preload` file against modification or removal, hindering uninstallation.
- **Proxying:** Can use the compromised machine as a proxy between a remote IP and a specific target IP.
- **Self-Destruct:** Includes a kill switch mechanism for self-uninstallation.
## Indicators of Compromise
- File Hashes: N/A (Not provided)
- File Names: `libcext.so.2` (library implant), `/var/log/cross/auto-color` (renamed payload), `door`, `egg` (initial payload names).
- Registry Keys: N/A
- Network Indicators: C2 servers (IPs are compiled and encrypted using a proprietary algorithm).
- Behavioral Indicators: Modification of `/etc/ld.preload`, hooking of `open()` system calls in `libc`, modification of `/proc/net/tcp`.
## Associated Threat Actors
- Unknown (The article attributes the discovery to Palo Alto Networks Unit 42, but does not name the specific threat actor group utilizing Auto-Color).
## Detection Methods
- Signature-based detection: Requires signatures targeting the specific file hashes or binary patterns of `libcext.so.2` and the main payload.
- Behavioral detection: Monitoring for persistence mechanisms involving modification of `/etc/ld.preload`. Detection of dynamic library hooking targeting `libc` functions like `open()`. Monitoring changes to system files like `/proc/net/tcp` indicative of network connection modification.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Strict access controls, especially preventing execution by non-root users if root privileges are not strictly necessary.
- Hardening recommendations: Monitor and alert on unauthorized modifications to critical system files such as `/etc/ld.preload`. Implement strong egress filtering to detect anomalous C2 beaconing traffic, even if destinations are obfuscated. Ensure robust system auditing is enabled.
## Related Tools/Techniques
- Symbiote (Another Linux malware noted for using a similar technique involving modification of network connection status files).