A newly discovered Linux malware, named Auto-Color, is actively targeting universities and government organizations across North America and Asia. First identified by Palo Alto Networks’ Unit 42, Auto-Color provides attackers with persistent remote access, making it difficult to detect and remove.
Key characteristics of Auto-Color
- When executed with root privileges, Auto-Color installs a malicious library, renames itself as /var/log/cross/auto-color, and modifies /etc/ld.preload to ensure persistence. Without root access, it still runs but with limited functionality.
- The malware disguises itself with misleading filenames such as “door” or “egg,” encrypts its command-and-control (C2) communications, and manipulates system processes to hide its presence by modifying /proc/net/tcp.
- Once active, Auto-Color connects to a remote C2 server, allowing attackers to execute commands, modify system files, open reverse shells, and use the infected system as a proxy for further attacks. A built-in kill switch lets it erase traces of its presence.
The exact method of infection remains unclear, but execution requires user interaction on the targeted Linux system.
Expert Analysis
Auto-Color is a clear sign that Linux threats are becoming more sophisticated and targeted. Unlike generic botnets or automated ransomware, this malware is designed for stealth, persistence, and long-term control. Its ability to modify system processes and evade traditional security tools makes it a serious challenge for defenders.
The sectors targeted—academia and government institutions—suggest that Auto-Color is not just another criminal tool for mass exploitation. Instead, it appears to be part of a more advanced cyber-espionage campaign, where attackers prioritize control over destruction.
Read the full article here.
