{
  "name": "Auto-Color: An Emerging and Evasive Linux Backdoor",
  "slug": "auto-color-an-emerging-and-evasive-linux-backdoor",
  "description": "Auto-color is a newly discovered Linux malware that employs sophisticated evasion techniques. It renames itself to benign-looking filenames, hides remote C2 connections using advanced methods similar to Symbiote malware, and uses proprietary encryption for communication. The malware installs a malicious library implant to intercept system calls and conceal its network activity. It provides threat actors with full remote access to compromised machines and is difficult to remove. Auto-color primarily targets universities and government offices in North America and Asia. The malware's C2 protocol includes a simple handshake and encrypted messages for issuing commands. Its capabilities include file operations, network proxying, and creating reverse shells.",
  "published": "2025-02-25T01:46:32+00:00",
  "created_at": "2025-02-25T01:46:32+00:00",
  "modified_at": "2025-02-25T08:41:54+00:00",
  "created_at_opencti": "2025-02-25T01:46:32+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-02-25",
    "auto-color",
    "backdoor",
    "c2",
    "encryption",
    "evasion",
    "government",
    "library implant",
    "linux",
    "proxy",
    "reverse shell",
    "symbiote",
    "universities"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "65.38.121.64"
      },
      {
        "id": "",
        "name": "216.245.184.214"
      },
      {
        "id": "",
        "name": "e1c86a578e8d0b272e2df2d6dd9033c842c7ab5b09cda72c588e0410dc3048f7"
      },
      {
        "id": "",
        "name": "bf503b5eb456f74187a17bb8c08bccc9b3d91a7f0f6fd50110540b051510d1ca"
      },
      {
        "id": "",
        "name": "bace40f886aac1bab03bf26f2f463ac418616bacc956ed97045b7c3072f02d6b"
      },
      {
        "id": "",
        "name": "a1b09720edcab4d396a53ec568fe6f4ab2851ad00c954255bf1a0c04a9d53d0a"
      },
      {
        "id": "",
        "name": "85a77f08fd66aeabc887cb7d4eb8362259afa9c3699a70e3b81efac9042bb255"
      },
      {
        "id": "",
        "name": "83d50fcf97b0c1ec3de25b11684ca8db6f159c212f7ff50c92083ec5fbd3a633"
      },
      {
        "id": "",
        "name": "65a84f6a9b4ccddcdae812ab8783938e3f4c12cfba670131b1a80395710c6fb4"
      },
      {
        "id": "",
        "name": "270fc72074c697ba5921f7b61a6128b968ca6ccbf8906645e796cfc3072d4c43"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:aee03f41693f4422",
        "name": "Symbiote",
        "slug": "symbiote"
      },
      {
        "id": "legacy:malware:54bb62428e1d2b29",
        "name": "Auto-color",
        "slug": "auto-color"
      }
    ],
    "attack_patterns": [
      {
        "id": "d3fff364-9b70-4b8e-9206-05e7a8973fd5",
        "name": "T1553.004"
      },
      {
        "id": "e684b1cc-3ebf-4679-bd3c-c5e540a60a5d",
        "name": "T1056.004"
      },
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3",
        "name": "T1569.002"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/",
    "https://otx.alienvault.com/pulse/67bd2f08a42cda6ca5b61ecf"
  ]
}