Palo Alto Networks has shared details on a new piece of Linux malware that gives threat actors backdoor access to compromised devices.
Named Auto-Color (based on the name of the initial payload), the Linux malware was first spotted by the security firm in early November 2024. Palo Alto obtained the most recent sample on December 5, 2024.
The company’s analysis showed that Auto-Color has mainly been used to target universities and governments in North America and Asia.
Palo Alto has not been able to determine how the malware reaches targets, but pointed out that it needs to be explicitly executed by the victim on a Linux computer.
Once it has been fully deployed on a system, it provides its operator with complete remote access to the targeted machine, and it’s “very difficult to remove without specialized software”, the security firm said.
The malware supports commands that enable the attacker to collect host information, uninstall the malware, create a reverse shell, create and modify files, execute a program, and turn the device into a proxy.
Auto-Color uses various methods to evade detection, including using harmless-looking file names, hiding C&C connections using a sophisticated technique, and leveraging proprietary encryption algorithms to protect information pertaining to communication and configuration.
Palo Alto has shared indicators of compromise (IoCs) to help defenders detect the Auto-Color Linux malware on their networks.
Related: Golang Backdoor Abuses Telegram for C&C Communication
Related: Chinese Botnet Powered by 130,000 Devices Targets Microsoft 365 Accounts
Related: Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines
Related: New FrigidStealer macOS Malware Distributed as Fake Browser Update
