Universities and state organizations in North America and Asia were aimed at previously unregistered Linux malware called Auto Color in November to December 2024, according to the Palo Alto Networks 42.
“After installing a car coloration allows the subject to threaten full remote access to compromised machines, which is very difficult to remove without specialized software,” security researcher Alex Armstrong – Note In the technical record of malicious software.
The carculator named the initial load on the basis of the file name renamed the installation itself after installation. It is currently unknown how it reaches its goals, but what is known is that it requires that the victim clearly launches him by his Linux car.
A noticeable aspect of malicious software is the arsenal of the tricks it uses to evade detection. This includes the use of seemingly incomprehensible file names such as a door or an egg, hiding team connections and control (C2), as well as using your own encryption algorithms to disguise information about communication and configuration.
After launching with root privileges, it continues to install a malicious library implant called “Libcext.So.2” to establish persistence on the host.
“If the current user lacks root privileges, malicious software will not continue to install the system,” Armstrong said. “It will do it as much as possible at its next stages without this library.”
The library implant is equipped for passive functional features used in libc for interception Open () system callwhich it uses to hide C2 communications by changing “/Proc/Net/TCP”, “a file containing information about all active network connections. The same technique has been taken by another malicious Linux software called Symbiot.
It also prevents the removal of malware by protecting “/etc/ld.Preload” from further modification or removal.
Then the auto -collar target IP -Draces and even remove yourself with the switch.
“After execution, the malicious software tries to receive remote instructions from the command server, which can create a reverse shell in the victim system,” Armstrong said. “The actors threatens separately and encrypt each IP -server teams with their own algorithm.”
