Auto-Color: An Emerging and Evasive Linux Backdoor
Feb. 25, 2025, 9:41 a.m.
Description
Auto-color is a newly discovered Linux malware that employs sophisticated evasion techniques. It renames itself to benign-looking filenames, hides remote C2 connections using advanced methods similar to Symbiote malware, and uses proprietary encryption for communication. The malware installs a malicious library implant to intercept system calls and conceal its network activity. It provides threat actors with full remote access to compromised machines and is difficult to remove. Auto-color primarily targets universities and government offices in North America and Asia. The malware's C2 protocol includes a simple handshake and encrypted messages for issuing commands. Its capabilities include file operations, network proxying, and creating reverse shells.
Tags
Date
- Created: Feb. 25, 2025, 2:46 a.m.
- Published: Feb. 25, 2025, 2:46 a.m.
- Modified: Feb. 25, 2025, 9:41 a.m.
Indicators
- e1c86a578e8d0b272e2df2d6dd9033c842c7ab5b09cda72c588e0410dc3048f7
- bf503b5eb456f74187a17bb8c08bccc9b3d91a7f0f6fd50110540b051510d1ca
- bace40f886aac1bab03bf26f2f463ac418616bacc956ed97045b7c3072f02d6b
- a1b09720edcab4d396a53ec568fe6f4ab2851ad00c954255bf1a0c04a9d53d0a
- 85a77f08fd66aeabc887cb7d4eb8362259afa9c3699a70e3b81efac9042bb255
- 83d50fcf97b0c1ec3de25b11684ca8db6f159c212f7ff50c92083ec5fbd3a633
- 65a84f6a9b4ccddcdae812ab8783938e3f4c12cfba670131b1a80395710c6fb4
- 270fc72074c697ba5921f7b61a6128b968ca6ccbf8906645e796cfc3072d4c43
- 65.38.121.64
- 216.245.184.214
Attack Patterns
- Symbiote
- Auto-color
- T1553.004
- T1056.004
- T1505.003
- T1569.002
- T1071.001
- T1070.004
- T1082
- T1105
- T1083
- T1055
- T1036
- T1027
- T1090
Additional Informations
- Education
- Government
- United States of America