https://unit42.paloaltonetworks.com/new ... uto-color/
Quite a detailed analysis and description:
Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation.
The malware employs several methods to avoid detection, such as:
Using benign-looking file names for operating
Hiding remote command and control (C2) connections using an advanced technique similar to the one used by the Symbiote malware family
Deploying proprietary encryption algorithms to hide communication and configuration informationOnce installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software.
This article will cover aspects of this new Linux malware, including installation, obfuscation and evasion features. We will also discuss its capabilities and indicators of compromise (IoCs), to help others identify this threat on their systems too. ...
... Once the malware initially runs on the victim machine, it will check whether the executable file name running is Auto-color. Initially, the original executables will all have different file names such as door or egg, and they will perform different logic if the name differs from Auto-color. If its executable file name is not Auto-color, the malware will run its installation phase for an evasive library implant located within the executable itself.
If the current user lacks root privileges, the malware will not proceed with the installation of the evasive library implant on the system. It will proceed to do as much as possible in its later phases without this library.
If the current user has root privileges, the malware then installs a malicious library implant called libcext.so.2. This is to mimic the legitimate C utility library libcext.so.0 to evade detection. ...
