Auto-Color: An Emerging and Evasive Linux Backdoor
Essential information
- Published
- 25/02/2025 02:46
- Modified
- 25/02/2025 09:41
- Tags
- 2025-02-25 auto-color backdoor c2 encryption evasion government library implant linux proxy reverse shell symbiote universities
- Related entities
- 10 observables, 13 techniques (mitre), 2 malware, 3 others
Description
Auto-color is a newly discovered Linux malware that employs sophisticated evasion techniques. It renames itself to benign-looking filenames, hides remote C2 connections using advanced methods similar to Symbiote malware, and uses proprietary encryption for communication. The malware installs a malicious library implant to intercept system calls and conceal its network activity. It provides threat actors with full remote access to compromised machines and is difficult to remove. Auto-color primarily targets universities and government offices in North America and Asia. The malware's C2 protocol includes a simple handshake and encrypted messages for issuing commands. Its capabilities include file operations, network proxying, and creating reverse shells.