Auto-color Linux Backdoor TTPs & Internal Architecture Revealed

A new Linux backdoor named Auto-color has been identified targeting government organizations and universities across North America and Asia.

First observed between November and December 2024, Auto-color is designed to evade detection and maintain a persistent presence within compromised systems.

Auto-color is not your average malware. It employs a range of sophisticated techniques to remain hidden and operational, reads Mohamed Ezat analysis.

The malware disguises itself as a benign color-enhancement tool, using common file names like “door,” “egg,” and “log” to blend in with system files. Its initial payload renames itself to “auto-color,” further masking its malicious intent.

One of its key features is the encryption of its strings, making static analysis more challenging. It dynamically resolves APIs at runtime, avoiding direct system calls which could be flagged by security software.

Application Security is no longer just a defensive play Time to Secure -> Free Webinar

When executed with root privileges, Auto-color deploys advanced evasion tactics, including dropping a shared library that hooks libc functions to hide network connections, prevent uninstallation, and ensure its activities remain undetected.

Auto-color Linux Backdoor

Upon infection, Auto-color creates a directory named /var/log/cross, setting permissions to 777 to allow read, write, and execute access. It then copies itself into this folder, renaming the file to “auto-color” to appear innocuous.

A malicious shared library, libcext.so.2, is also dropped into the system’s library path, mimicking legitimate libraries to avoid suspicion.

To ensure persistence, Auto-color modifies the /etc/ld.preload file, which forces the loading of specified libraries into every process. This library hooks critical system functions, protecting the malware’s configuration files and ensuring that any attempt to delete or modify them is redirected or blocked, Mohamed Ezat said.

Auto-color establishes a communication channel with its Command-and-Control (C2) server using a TCP socket. It first extracts the C2 address from an encrypted configuration stored within its .data section.

The malware uses a custom encryption algorithm for both sending and receiving data, ensuring that communications remain secure and undetected.

The malware can receive various commands from the C2 server, including gathering system information, reading, writing, deleting, and modifying files, creating a reverse shell backdoor, configuring the device as a proxy, and even self-destructing to erase all traces of its presence.

Despite its sophisticated evasion techniques, Auto-color has been flagged by 15 security vendors, according to the latest reports. Analysis of the malware reveals that it requires explicit execution by the victim, following different paths based on root privileges.

If running as root, it checks its execution path to determine if it has already been installed, attempting to install itself if not.

A YARA rule has been developed for those looking to detect Auto-color, targeting specific strings and file sizes associated with the malware. Additionally, an IDAPython script has been crafted to automatically decrypt and analyze the obfuscated strings within Auto-color, aiding in its identification and removal.

The emergence of Auto-color underscores the evolving sophistication of cyber threats targeting critical infrastructure. Government organizations and educational institutions must remain vigilant, updating their security protocols and ensuring that their systems are protected against such advanced persistent threats.

As cyber attackers continue refining their techniques, the cybersecurity community must stay one step ahead, employing traditional and innovative methods to safeguard our digital environments.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free