Auto-Color: An Emerging and Evasive Linux Backdoor

An Anonymous Coward writes:

Executive Summary

Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation.

The malware employs several methods to avoid detection, such as:

- Using benign-looking file names for operating
- Hiding remote command and control (C2) connections using an advanced technique similar to the one used by the Symbiote malware family
- Deploying proprietary encryption algorithms to hide communication and configuration information

Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software.

This article will cover aspects of this new Linux malware, including installation, obfuscation and evasion features. We will also discuss its capabilities and indicators of compromise (IoCs), to help others identify this threat on their systems too.

Palo Alto Networks customers are better protected from the threats discussed in this article through the following products or services: Advanced WildFire machine-learning models, as well as Advanced URL Filtering and Advanced DNS Security, and Cortex XDR and XSIAM.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Article contains further details:

Malware Startup and Installation
Malicious Library Implant Analysis
Hiding Network Activity
Target C2 Payload Information
Core C2 Protocol and API Structure
Malware C2 API Functionality
Conclusion

Additional Resources

Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat - Intezer

Original Submission

Read more of this story at SoylentNews.