A new Linux malware, dubbed Auto-Color, has been actively targeting universities and government organizations across North America and Asia between November and December 2024. According to cybersecurity researchers at Palo Alto Networks Unit 42, this sophisticated malware grants hackers full remote access to compromised systems, making it exceptionally difficult to remove without specialized tools.
How Auto-Color Infects Systems
The exact delivery method of Auto-Color remains unclear, but researchers confirm that it requires victims to manually execute the malware on their Linux machines. Once activated, it renames itself and integrates deeply into the system to avoid detection.
One of the most alarming aspects of Auto-Color is its ability to conceal itself. It employs deceptive file names such as “door” or “egg” to appear harmless. Additionally, it hides its command-and-control (C2) connections using proprietary encryption algorithms, preventing security tools from easily identifying its malicious activities.
Persistence and Evasion Tactics
If executed with root privileges, Auto-Color installs a malicious library implant named libcext.so.2 and relocates itself to /var/log/cross/auto-color. It also modifies /etc/ld.preload, a key Linux configuration file, ensuring that it runs persistently upon system reboot.
“If the current user lacks root access, the malware will proceed with its infection but will be limited in its ability to install the evasive library implant,” explained Alex Armstrong, a security researcher at Unit 42. “Even without full privileges, it can still execute various malicious functions.”
How Auto-Color Hides Its Activities
To avoid detection, Auto-Color intercepts system calls through function hooking in the libc library. Specifically, it manipulates the open() system call to modify /proc/net/tcp, a file containing details of all active network connections. This technique, previously seen in other Linux malware like Symbiote, effectively conceals C2 traffic from security monitoring tools.
Additionally, the malware actively prevents its removal. It protects the /etc/ld.preload file from modification or deletion, ensuring it remains embedded in the system.
Capabilities
Once fully operational, Auto-Color establishes a connection with a remote C2 server, allowing attackers to:
Execute a reverse shell for direct remote access.
Gather system information, including running processes and hardware details.
Modify or create files on the infected system.
Run arbitrary programs at the hacker’s command.
Use the compromised system as a proxy to route malicious traffic.
Self-destruct using a built-in kill switch, making forensic analysis difficult.
Highly Encrypted C2 Communication
Unlike conventional Linux malware that relies on standard encryption, Auto-Color employs a unique proprietary algorithm to encrypt its C2 communication. Each instance of the malware is compiled separately, embedding distinct command server IP addresses, which further complicates detection and mitigation efforts.
“Upon execution, the malware attempts to establish communication with a command server, enabling attackers to deploy reverse shell backdoors and execute commands remotely,” Armstrong noted. “The encryption methods used make it challenging to track and block the malware’s activity.”
Conclusion and Recommendations
Auto-Color represents a growing trend of stealthy Linux malware capable of deep system infiltration and persistent control. Given its advanced evasion techniques and full remote access capabilities, organizations must take proactive measures to protect their Linux environments.
Security Best Practices:
Restrict Execution Privileges – Avoid running unknown files with root privileges.
Monitor Network Traffic – Look for unusual encrypted connections or hidden C2 communication.
Use File Integrity Monitoring (FIM) – Track changes to critical system files like /etc/ld.preload.
Employ Advanced Threat Detection – Deploy security tools that can identify function hooking and process injection techniques.
Regularly Update Security Patches – Keep Linux distributions and security software up to date.
With Linux systems increasingly becoming targets of advanced cyber threats, awareness and proactive security measures are crucial in mitigating the risks posed by malware like Auto-Color.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Truesight.sys Driver Abused to Bypass EDR and Deliver HiddenGh0st RAT