New Linux Backdoor “Auto-color” Targets Government & Education Sectors

Overview

A newly discovered Linux backdoor malware, dubbed Auto-color, is actively targeting educational institutions and government organizations across North America and Asia. Researchers from Palo Alto Networks Unit 42 uncovered the malware, which leverages advanced stealth and persistence techniques to evade detection and gain deep system control.

Active between November and December 2024, Auto-color hides its presence, manipulates system functions, and encrypts its communications to make detection and removal difficult.

How Auto-color Works

1️⃣ Initial Infection & Execution

• Uses innocuous file names like “door” or “egg” to disguise itself.
• Each sample has a unique hash due to an encrypted C2 configuration embedded at compile time.
• Upon execution, verifies its filename—if incorrect, it triggers an installation phase.

2️⃣ Persistence via Malicious Library Implant

• Installs a rogue system library, mimicking legitimate libraries.
• If root privileges are available, it overrides core system functions for deeper control.
• Hooks into Linux’s ld.preload file, ensuring the malicious library loads before other system libraries.

3️⃣ Network Activity Concealment

• Hooks into C standard library functions to filter & manipulate network data.
• Modifies /proc/net/tcp to hide its connections to command-and-control (C2) servers.
• Uses a proprietary stream cipher for encrypted communication with C2 infrastructure.

4️⃣ Command Execution & Data Exfiltration

• After connecting to the C2 server, it receives encrypted commands for execution.
• Exfiltrates stolen data and maintains long-term access to compromised systems.