Executive Summary
Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation.
The malware employs several methods to avoid detection, such as:
- Using benign-looking file names for operating
- Hiding remote command and control (C2) connections using an advanced technique similar to the one used by the Symbiote malware family
- Deploying proprietary encryption algorithms to hide communication and configuration information
Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software.
This article will cover aspects of this new Linux malware, including installation, obfuscation and evasion features. We will also discuss its capabilities and indicators of compromise (IoCs), to help others identify this threat on their systems too.
Palo Alto Networks customers are better protected from the threats discussed in this article through the following products or services: Advanced WildFire machine-learning models, as well as Advanced URL Filtering and Advanced DNS Security, and Cortex XDR and XSIAM.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
Article contains further details:
Malware Startup and Installation
Malicious Library Implant Analysis
Hiding Network Activity
Target C2 Payload Information
Core C2 Protocol and API Structure
Malware C2 API Functionality
Conclusion
Additional Resources
(Score: 3, Informative) by Mojibake Tengu on Sunday March 02, @10:23PM (1 child)
Looks pretty old-school. Nothing advanced to be found in whole analysis.
Everything is in books since about 2001, really.
Did some childe found a dusty tome in her father's library?
Rust programming language offends both my Intelligence and my Spirit.
(Score: 3, Insightful) by Unixnut on Sunday March 02, @10:52PM
Ah yes, a fine book that. Was required reading in my security module at university, in fact I still have the third edition on my bookshelf.
Likewise I agree with you, this rootkit looks pretty standard. I don't see anything special that makes it novel or otherwise interesting. Making use of LD_PRELOAD to hook functions is as old as the hills really and the rest just seems good practice (i.e. this does not look like it was cooked up by script kiddies, thought was put into the design).
From TFA it does sound like this was a targeted attack on Latin American financial institutions, and the lack of any description of how it installs itself or compromises a machine means that it could well have been installed sparingly on high value targets, possibly even done directly by an insider. As such it seems unlikely that machines outside of the targets would have this rootkit installed.
Still, good that it was shared. They published the hashes so you can at least check whether your system has been compromised if you have any concerns.
(Score: 3, Insightful) by atwork on Monday March 03, @01:30AM
That's good to know. It's almost like this whole thing is an ad for them.