Auto-Color Linux Malware: A Stealthy Backdoor Targeting Universities and Government Institutions
A new Linux malware, Auto-Color, is actively targeting universities and government institutions worldwide. Discovered by researchers at Palo Alto Networks Unit 42, this malware serves as a stealthy backdoor, granting attackers persistent access to compromised systems.
How It Works
Auto-Color is named for its ability to rename itself upon installation, using harmless file names like “door” or “egg” to evade detection. The malware also employs encryption techniques to conceal its command-and-control (C&C) communications, making it even harder to detect.
Key Characteristics :
- Stealth Persistence: Establishes long-term access to Linux systems.
- Evasion Techniques: Uses encryption and deceptive file names to hide activity.
- Similarities with Symbiote Malware: Both malware strains conceal C&C communications.
- Library Implantation: If the target user has root access, Auto-Color installs a malicious library (libcext.so.2) for deeper system integration. Without root access, it provides temporary access instead.
- Mimicking Legitimate Libraries: The malware disguises itself as libcext.so.0, executing before any other system library to maintain stealth.
Once installed, Auto-Color executes remote commands from its C&C server, allowing attackers to:
Open reverse shells for remote access. Modify or create files on the target system. Change configurations to establish deeper persistence. Redirect system traffic as a proxy. Execute arbitrary commands to gain full control.
Additionally, Auto-Color includes a “kill-switch” feature, enabling attackers to remove all traces of infection and avoid forensic analysis.
Who Is Being Targeted?
Unit 42 first detected Auto-Color in November 2024. So far, it has been used against universities and government institutions across Asia and North America. However, the exact infection vector remains unknown.
How to Protect Your Linux Systems
Monitor Network Activity: Look for unusual C&C connections or hidden processes. Enable Logging and Auditing: Use SELinux/AppArmor to track unauthorized modifications. Patch & Update Regularly: Keep your Linux kernel and software updated to prevent exploitation. Restrict Root Privileges: Limit unnecessary root access to reduce attack impact. Use Endpoint Security Tools: Deploy intrusion detection systems (IDS) to catch suspicious activities.
For a detailed technical analysis, visit the official Unit 42 report on Auto-Color.
By staying vigilant and implementing strong security measures, Linux administrators can mitigate the risks posed by this malware and similar stealthy malware threats. 
Click below and ‘share’ this article!