Researchers at Palo Alto Networks have identified a new Linux malware strain dubbed Auto-Color, which uses cunning, advanced stealth techniques to slip through the security nets and maintain persistence on compromised systems.
The malware, first detected in early November last year, mainly targets universities and government offices across North America and Asia.
Auto-Color hides its presence by using benign-sounding file names, such as door or egg, and uses an advanced method for hiding command and control (C2) connections—similar to the tactics used by the Symbiote malware family. It also uses proprietary encryption algorithms to obfuscate communication and configuration details.
Once installed, it gives malicious actors total remote access to compromised machines, making removal exceptionally hard without specialized tools.
Persistence Mechanisms
Once executed, Auto-Color checks if its file name matches its designated name. If not, it initiates an installation phase, embedding an evasive library implant within the system. If the user doesn’t have root privileges, it limits its operations; however, with root access, it installs a malicious library called libcext.so.2, designed to imitate a legitimate system file.
The malware then modifies the Linux system’s ld.preload file, seeing that the malicious library is loaded before any other system libraries. This enables the scourge to intercept system functions and stay obscured while keeping full control over network activity.
Hiding Network Activity
Auto-Color manipulates the Linux proc file system to disguise its network connections. By hooking functions in the C standard library, it filters out specific connections from system monitoring tools, preventing detection by security analysts.
Also, it actively protects its presence by preventing modifications to the ld.preload file, making uninstallation tricky, to say the least.
C2 Infrastructure
Auto-Color connects to remote servers by using a proprietary encryption mechanism, which retrieves its target C2 server details from a dynamically generated configuration file or an embedded encrypted payload. This method is unique to this malware, and continuously regenerates keys, to keep a secure communication with the malware author’s infrastructure.
Once a connection has been established, the malicious tool follows a highly structured protocol, swapping encrypted messages with the remote server. In these messages are command IDs and execution parameters, so the malefactor is able to execute a slew of functions inside the infected system.
Implications and Mitigation
Palo Alto’s discovery of Auto-Color is a marker of the growing sophistication of Linux-based malware. Its crafty evasion techniques and ability to manipulate core system processes make it a force to be reckoned with.
Entities are advised to monitor their Linux systems for any anomalies or red flags, enforce stringent privilege controls, and add behavioral threat detection solutions to the security mix, to help identify and mitigate emerging threats of this nature.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.