When executed with root privileges, Auto-color deploys advanced evasion tactics, including dropping a shared library that hooks libc functions to hide network connections, prevent uninstallation, and ensure its activities remain undetected. A YARA rule has been developed for those looking to detect Auto-color, targeting specific strings and file sizes associated with the malware. The malware can receive various commands from the C2 server, including gathering system information, reading, writing, deleting, and modifying files, creating a reverse shell backdoor, configuring the device as a proxy, and even self-destructing to erase all traces of its presence. Despite its sophisticated evasion techniques, Auto-color has been flagged by 15 security vendors, according to the latest reports. Government organizations and educational institutions must remain vigilant, updating their security protocols and ensuring that their systems are protected against such advanced persistent threats. A new Linux backdoor named Auto-color has been identified targeting government organizations and universities across North America and Asia. This library hooks critical system functions, protecting the malware’s configuration files and ensuring that any attempt to delete or modify them is redirected or blocked, Mohamed Ezat said. The malware disguises itself as a benign color-enhancement tool, using common file names like “door,” “egg,” and “log” to blend in with system files. Additionally, an IDAPython script has been crafted to automatically decrypt and analyze the obfuscated strings within Auto-color, aiding in its identification and removal. The emergence of Auto-color underscores the evolving sophistication of cyber threats targeting critical infrastructure. First observed between November and December 2024, Auto-color is designed to evade detection and maintain a persistent presence within compromised systems. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. To ensure persistence, Auto-color modifies the /etc/ld.preload file, which forces the loading of specified libraries into every process. The malware uses a custom encryption algorithm for both sending and receiving data, ensuring that communications remain secure and undetected. As cyber attackers continue refining their techniques, the cybersecurity community must stay one step ahead, employing traditional and innovative methods to safeguard our digital environments.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 07 Apr 2025 12:45:04 +0000