Discussion:
Auto-Color: An Emerging and Evasive Linux Backdoor
Add Reply
Brock McNuggets
2025-03-02 17:00:44 UTC
Reply
Permalink
https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/
-----
Auto-Color: An Emerging and Evasive Linux Backdoor

Between early November and December 2024, Palo Alto Networks researchers
discovered new Linux malware called Auto-color. We chose this name based on
the file name the initial payload renames itself after installation.

The malware employs several methods to avoid detection, such as:

* Using benign-looking file names for operating

* Hiding remote command and control (C2) connections using an advanced
technique similar to the one used by the Symbiote malware family

* Deploying proprietary encryption algorithms to hide communication and
configuration information
Once installed, Auto-color allows threat actors full remote access to
compromised machines, making it very difficult to remove without specialized
software.

This article will cover aspects of this new Linux malware, including
installation, obfuscation and evasion features. We will also discuss its
capabilities and indicators of compromise (IoCs), to help others identify this
threat on their systems too.

Palo Alto Networks customers are better protected from the threats discussed
in this article through the following products or services: Advanced WildFire
machine-learning models, as well as Advanced URL Filtering and Advanced DNS
Security, and Cortex XDR and XSIAM.

If you think you might have been compromised or have an urgent matter, contact
the Unit 42 Incident Response team.
-----
--
Specialist in unnecessary details and overcomplicated solutions.
Mike Easter
2025-03-02 18:10:45 UTC
Reply
Permalink
As a general rule, whenever I hear about some malware threat, the
absolute FIRST thing I want to understand is not all of the 'tricks' it
employs to fascinate the hacker set, but rather: How does this malware
go about the very FIRST step, getting itself 'run' on the target system?

The cited article is of course busily asserting itself from an anti-
hacker perspective and how great they were in dissecting the situation.

Guess what? They *absolutely* did NOT do the *FIRST* thing explanation.

Fail.
We do not currently know how the initial malware executable reaches
its targets, but the file is intended to run explicitly by the
victim on their Linux machine.
--
Mike Easter
Brock McNuggets
2025-03-02 18:20:58 UTC
Reply
Permalink
Post by Mike Easter
As a general rule, whenever I hear about some malware threat, the
absolute FIRST thing I want to understand is not all of the 'tricks' it
employs to fascinate the hacker set, but rather: How does this malware
go about the very FIRST step, getting itself 'run' on the target system?
The cited article is of course busily asserting itself from an anti-
hacker perspective and how great they were in dissecting the situation.
Guess what? They *absolutely* did NOT do the *FIRST* thing explanation.
I agree the article is lacking. Just wanted people to be aware.

And in case anyone thinks I am anti-Linux, the reason this is newsworthy to me
is because such things are fairly rare. If this was Windows it would not be of
interest.
Post by Mike Easter
Fail.
We do not currently know how the initial malware executable reaches
its targets, but the file is intended to run explicitly by the
victim on their Linux machine.
--
Specialist in unnecessary details and overcomplicated solutions.
FromTheRafters
2025-03-02 19:31:34 UTC
Reply
Permalink
Post by Mike Easter
As a general rule, whenever I hear about some malware threat, the
absolute FIRST thing I want to understand is not all of the 'tricks' it
employs to fascinate the hacker set, but rather: How does this malware
go about the very FIRST step, getting itself 'run' on the target system?
It's a trojan.
David
2025-03-02 22:21:52 UTC
Reply
Permalink
Post by FromTheRafters
Post by Mike Easter
As a general rule, whenever I hear about some malware threat, the
absolute FIRST thing I want to understand is not all of the 'tricks' it
employs to fascinate the hacker set, but rather:  How does this malware
go about the very FIRST step, getting itself 'run' on the target system?
It's a trojan.
That’s a serious piece of malware — Auto-color sounds like a stealthy
and dangerous backdoor for Linux systems. It seems to use a combination of:

File name deception — renaming itself to appear harmless.
Hidden C2 communication — adopting tactics similar to Symbiote
malware, which is known for injecting itself into processes to stay hidden.
Proprietary encryption — to cloak its activity and configurations.

The fact that it grants full remote access means it’s not just a passive
piece of spyware — it could allow threat actors to execute commands,
move laterally, and even exfiltrate data.
%
2025-03-02 22:35:21 UTC
Reply
Permalink
Post by David
Post by FromTheRafters
Post by Mike Easter
As a general rule, whenever I hear about some malware threat, the
absolute FIRST thing I want to understand is not all of the 'tricks' it
employs to fascinate the hacker set, but rather:  How does this malware
go about the very FIRST step, getting itself 'run' on the target system?
It's a trojan.
That’s a serious piece of malware — Auto-color sounds like a stealthy
    File name deception — renaming itself to appear harmless.
    Hidden C2 communication — adopting tactics similar to Symbiote
malware, which is known for injecting itself into processes to stay hidden.
    Proprietary encryption — to cloak its activity and configurations.
The fact that it grants full remote access means it’s not just a passive
piece of spyware — it could allow threat actors to execute commands,
move laterally, and even exfiltrate data.
that looks like david
Mike Easter
2025-03-02 23:38:34 UTC
Reply
Permalink
Post by FromTheRafters
Post by Mike Easter
As a general rule, whenever I hear about some malware threat, the
absolute FIRST thing I want to understand is not all of the 'tricks' it
employs to fascinate the hacker set, but rather:  How does this malware
go about the very FIRST step, getting itself 'run' on the target system?
It's a trojan.
That may be so, but it doesn't explain how the malware 'engineers' chose
to go about their mission of getting the linux user to do something s/he
shouldn't or wouldn't have done wisely.

The article says that uni/edu type systems are the 'interested' target.
The 'conventional' behavior of linux users, and particularly those who
are on some kind of linux-related network such as uni/edu is to usually
be using some kind of enterprise distro for which they are supposed to
be using the distro's repo/s, not lollygagging around installing unknown
programs willy-nilly.

Tney also shouldn't be exposed to some kind of email vector, presuming
their mail is handled by an admin which is more securely operated than a
'casual' linux user.

On such a network, the admin/s are also supposed to be protecting their
network from outside.

However; I have certainly seen/heard about nearby successful exploits of
hospital/doctor-group ransomware in which the hackers were significantly
more adept at their job than the system admins were at theirs of
protection/security.

There is virtually ZERO transparency about the local situation, but its
repercussions are still disruptive to quite a few millions of dollars of
'relationships' between at least two large doctor groups and their
associated hospitals, which is also affecting the 'solvency' of a
hospital district (more than 2 hospitals) and its administration,
supported by a tax base system. Crazy.

But, I don't think the 'trojan' explanation is as 'precise' as the 2nd
part of that, 'but ?how?' -- which way/method/vector?
--
Mike Easter
David Brooks
2025-03-03 14:21:06 UTC
Reply
Permalink
Post by Mike Easter
Post by FromTheRafters
Post by Mike Easter
As a general rule, whenever I hear about some malware threat, the
absolute FIRST thing I want to understand is not all of the 'tricks' it
employs to fascinate the hacker set, but rather:  How does this malware
go about the very FIRST step, getting itself 'run' on the target system?
It's a trojan.
That may be so, but it doesn't explain how the malware 'engineers' chose
to go about their mission of getting the linux user to do something s/he
shouldn't or wouldn't have done wisely.
The article says that uni/edu type systems are the 'interested' target.
The 'conventional' behavior of linux users, and particularly those who
are on some kind of linux-related network such as uni/edu is to usually
be using some kind of enterprise distro for which they are supposed to
be using the distro's repo/s, not lollygagging around installing unknown
programs willy-nilly.
Tney also shouldn't be exposed to some kind of email vector, presuming
their mail is handled by an admin which is more securely operated than a
'casual' linux user.
On such a network, the admin/s are also supposed to be protecting their
network from outside.
However; I have certainly seen/heard about nearby successful exploits of
hospital/doctor-group ransomware in which the hackers were significantly
more adept at their job than the system admins were at theirs of
protection/security.
There is virtually ZERO transparency about the local situation, but its
repercussions are still disruptive to quite a few millions of dollars of
'relationships' between at least two large doctor groups and their
associated hospitals, which is also affecting the 'solvency' of a
hospital district (more than 2 hospitals) and its administration,
supported by a tax base system.  Crazy.
But, I don't think the 'trojan' explanation is as 'precise' as the 2nd
part of that, 'but ?how?' -- which way/method/vector?
This item may be of help to you, Mike:-

https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/

HTH

-- David
David Brooks
2025-03-03 14:25:02 UTC
Reply
Permalink
Post by David Brooks
Post by Mike Easter
Post by FromTheRafters
Post by Mike Easter
As a general rule, whenever I hear about some malware threat, the
absolute FIRST thing I want to understand is not all of the 'tricks' it
employs to fascinate the hacker set, but rather:  How does this malware
go about the very FIRST step, getting itself 'run' on the target system?
It's a trojan.
That may be so, but it doesn't explain how the malware 'engineers'
chose to go about their mission of getting the linux user to do
something s/he shouldn't or wouldn't have done wisely.
The article says that uni/edu type systems are the 'interested'
target. The 'conventional' behavior of linux users, and particularly
those who are on some kind of linux-related network such as uni/edu is
to usually be using some kind of enterprise distro for which they are
supposed to be using the distro's repo/s, not lollygagging around
installing unknown programs willy-nilly.
Tney also shouldn't be exposed to some kind of email vector, presuming
their mail is handled by an admin which is more securely operated than
a 'casual' linux user.
On such a network, the admin/s are also supposed to be protecting
their network from outside.
However; I have certainly seen/heard about nearby successful exploits
of hospital/doctor-group ransomware in which the hackers were
significantly more adept at their job than the system admins were at
theirs of protection/security.
There is virtually ZERO transparency about the local situation, but
its repercussions are still disruptive to quite a few millions of
dollars of 'relationships' between at least two large doctor groups
and their associated hospitals, which is also affecting the 'solvency'
of a hospital district (more than 2 hospitals) and its administration,
supported by a tax base system.  Crazy.
But, I don't think the 'trojan' explanation is as 'precise' as the 2nd
part of that, 'but ?how?' -- which way/method/vector?
This item may be of help to you, Mike:-
Oops! *Wrong link posted*!

Try here instead:-
https://linuxsecurity.com/news/hackscracks/auto-color-linux-malware

Sorry about that! ;-)
--
David
FromTheRafters
2025-03-03 14:59:20 UTC
Reply
Permalink
Post by David Brooks
Post by David Brooks
Post by Mike Easter
Post by FromTheRafters
Post by Mike Easter
As a general rule, whenever I hear about some malware threat, the
absolute FIRST thing I want to understand is not all of the 'tricks' it
employs to fascinate the hacker set, but rather:  How does this malware
go about the very FIRST step, getting itself 'run' on the target system?
It's a trojan.
That may be so, but it doesn't explain how the malware 'engineers' chose
to go about their mission of getting the linux user to do something s/he
shouldn't or wouldn't have done wisely.
The article says that uni/edu type systems are the 'interested' target.
The 'conventional' behavior of linux users, and particularly those who are
on some kind of linux-related network such as uni/edu is to usually be
using some kind of enterprise distro for which they are supposed to be
using the distro's repo/s, not lollygagging around installing unknown
programs willy-nilly.
Tney also shouldn't be exposed to some kind of email vector, presuming
their mail is handled by an admin which is more securely operated than a
'casual' linux user.
On such a network, the admin/s are also supposed to be protecting their
network from outside.
However; I have certainly seen/heard about nearby successful exploits of
hospital/doctor-group ransomware in which the hackers were significantly
more adept at their job than the system admins were at theirs of
protection/security.
There is virtually ZERO transparency about the local situation, but its
repercussions are still disruptive to quite a few millions of dollars of
'relationships' between at least two large doctor groups and their
associated hospitals, which is also affecting the 'solvency' of a hospital
district (more than 2 hospitals) and its administration, supported by a
tax base system.  Crazy.
But, I don't think the 'trojan' explanation is as 'precise' as the 2nd
part of that, 'but ?how?' -- which way/method/vector?
This item may be of help to you, Mike:-
Oops! *Wrong link posted*!
Try here instead:-
https://linuxsecurity.com/news/hackscracks/auto-color-linux-malware
Sorry about that! ;-)
Yes, that one.

Auto-Color infiltrates systems through compromised software
repositories and targeted phishing attacks targeting administrators
with admin privileges, giving threat actors access to system resources
without admins' knowledge.
David Brooks
2025-03-03 15:44:22 UTC
Reply
Permalink
[....]
Post by FromTheRafters
Post by David Brooks
Post by David Brooks
This item may be of help to you, Mike:-
Oops! *Wrong link posted*!
Try here instead:- https://linuxsecurity.com/news/hackscracks/auto-
color-linux-malware
Sorry about that! ;-)
Yes, that one.
Auto-Color infiltrates systems through compromised software repositories
and targeted phishing attacks targeting administrators with admin
privileges, giving threat actors access to system resources without
admins' knowledge.
From what I've read, using AV software isn't going to help!

Btw. do you recall Dustin saying this?

=

//Btw, David, heh heh, I did give clamxav author a heads up
about you. I sent him a copy of our emails. I don't know for sure that's
what fucked you with him, and how, but i'd like to think it played a
small part in his wise decision not to interact with you.

Any company or software author you announce as a stalking target of
yours here, I will reach out to and give them a friendly heads up as one
author to another. You aren't the kind of customer they want.//
--
David
FromTheRafters
2025-03-03 14:45:41 UTC
Reply
Permalink
Post by FromTheRafters
Post by Mike Easter
As a general rule, whenever I hear about some malware threat, the
absolute FIRST thing I want to understand is not all of the 'tricks' it
employs to fascinate the hacker set, but rather:  How does this malware
go about the very FIRST step, getting itself 'run' on the target system?
It's a trojan.
That may be so, but it doesn't explain how the malware 'engineers' chose to
go about their mission of getting the linux user to do something s/he
shouldn't or wouldn't have done wisely.
They do say that corrupt repositories is a vector which they use.
The article says that uni/edu type systems are the 'interested' target. The
'conventional' behavior of linux users, and particularly those who are on
some kind of linux-related network such as uni/edu is to usually be using
some kind of enterprise distro for which they are supposed to be using the
distro's repo/s, not lollygagging around installing unknown programs
willy-nilly.
See above.
Tney also shouldn't be exposed to some kind of email vector, presuming their
mail is handled by an admin which is more securely operated than a 'casual'
linux user.
Yes, phishing emails are also a vector.
On such a network, the admin/s are also supposed to be protecting their
network from outside.
However; I have certainly seen/heard about nearby successful exploits of
hospital/doctor-group ransomware in which the hackers were significantly more
adept at their job than the system admins were at theirs of
protection/security.
There is virtually ZERO transparency about the local situation, but its
repercussions are still disruptive to quite a few millions of dollars of
'relationships' between at least two large doctor groups and their associated
hospitals, which is also affecting the 'solvency' of a hospital district
(more than 2 hospitals) and its administration, supported by a tax base
system. Crazy.
But, I don't think the 'trojan' explanation is as 'precise' as the 2nd part
of that, 'but ?how?' -- which way/method/vector?
Fair enough, I had done some further investigation and what I wrote
above may not have been in the specific article mentioned.

My somewhat hidden point is all the described bad stuff it does, is
done after execution. Cleanup consists of simply deleting the file,
unless you have executed it. Were it some other thing like a virus or
worm, it might not be that simple.
Johnny LaRue
2025-03-02 19:18:27 UTC
Reply
Permalink
On Mar 2, 2025 at 12:00:44 PM EST, "Brock McNuggets"
Once installed, Auto-color allows threat actors...
"Threat Actors"? You mean people in Hollywood who are good at being
threatening on the screen? Like "Comedy Actors" are good at being funny on
the screen?

Or do you mean actual criminals? Not "Criminal Actors".
Loading...