Auto-Color: New Evasive Linux Malware Targeting Governments and Universities

Researchers at Palo Alto Networks’ Unit 42 have uncovered a new and highly evasive Linux backdoor called Auto-Color. This malware, discovered between November and December 2024, employs advanced obfuscation techniques, making it difficult to detect and remove. The primary targets of Auto-Color appear to be government offices and universities across North America and Asia.

Auto-Color’s stealth capabilities make it particularly dangerous. According to Unit 42: “The malware employs several methods to avoid detection, such as using benign-looking file names, hiding remote command and control (C2) connections using an advanced technique similar to the one used by the Symbiote malware family, and deploying proprietary encryption algorithms to hide communication and configuration information.”

The malware renames itself using common, unassuming filenames such as door or egg, making it harder to identify on infected systems.

Once installed, Auto-Color grants full remote access to the infected machine, enabling attackers to execute commands, modify files, and establish a persistent foothold on the system. The installation process varies depending on user privileges:

• Non-root users: The malware proceeds with limited functionality but avoids installing its evasive library implant.
• Root users: The malware deploys libcext.so.2, a fake library that mimics the legitimate libcext.so.0 utility, making detection even more challenging

Auto-Color then hides within the system by modifying the /etc/ld.preload file, ensuring that its malicious library loads before any legitimate system libraries, allowing it to hook and manipulate core system functions.

A particularly dangerous aspect of Auto-Color is its ability to conceal its network activity. It does this by modifying the /proc/net/tcp file, which traditionally logs all active network connections on a Linux machine.

When /proc/net/tcp is passed into the malicious library’s open() function, it parses the file contents and removes any lines that match specific IP addresses or ports used by the malware.

This ensures that network monitoring tools cannot detect the presence of the malware, allowing attackers to maintain remote access undetected.

Auto-Color communicates with its command-and-control (C2) server using a custom encryption algorithm, rather than relying on traditional cryptographic standards like AES or DES.

“The custom encryption algorithm does not use preexisting cryptographic standards like AES or DES. The key decrypts each byte of the ciphertext by performing a bitwise XOR and subtraction operations,” the report explains.

Each malware sample is statically compiled with its own unique C2 configuration, making it difficult to track or blacklist malicious IP addresses.

Once connected to its C2 server, Auto-Color operates through an API-driven structure, where attackers issue commands in a structured format. Key capabilities include:

• Reverse Shell: Provides remote shell access to the attacker
• File Manipulation: Allows attackers to create, modify, or execute files locally
• Network Proxying: Turns the infected machine into a relay for attacker-controlled traffic
• Kill Switch: Enables the malware to uninstall itself and erase traces if needed

This modular functionality suggests that Auto-Color is designed for long-term espionage rather than immediate destruction.

Palo Alto Networks warns: “Once installed, Auto-Color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software.”

With Linux becoming an increasingly attractive target for cybercriminals, organizations must remain vigilant and implement proactive security measures to protect against this threat.

Related Posts:

• Microsoft modifies open source code and causes RCE flaw in Windows Defender
• GitHub Security Alerts has detected over 4 million vulnerabilities