Security Intelligence
Loading table of contents...
An unknown threat actor has recently been observed targeting Asian and North American universities and government organizations with a previously unreported, highly evasive backdoor called Auto-Color, capable of maintaining stealthy access to infected systems for long durations.
How Auto-Color is originally delivered to the target is currently unknown, however researchers have observed that its usually executed in a file with an unsuspecting name like “door”, “egg”, or “log”.
Once executed, Auto-Color installs a malicious library (libcext.so.2), disguised as the legitimate libcext.so.0 library, and copies itself to a system directory (/var/log/cross/auto-color). If the system is running with root level privileges, the backdoor will then modify the '/etc/ld.preload' file to ensure it executes before any other system library allowing it to achieve persistence on the infected system. If the system is not running with root level privileges, it skips this step.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Once an encrypted connection with its command and control (C2) server has been established, it can be ordered to perform the following functions:
- Provide full remote access via a reverse shell;
- Execute arbitrary commands;
- Modify or create files;
- Forward threat actor traffic as a proxy; and
- Modify its configuration.
Auto-Color’s command and control (C2) server address, configuration data, and network traffic is all encrypted making it very difficult for researchers to detect and analyze its activity.
Source: Bleeping Computer
Analysis
While Auto-Color exhibits unique features, the use of malicious libraries and ld.preload for persistence has been observed in other Linux malware, such as the Symbiote family. This method enables deep integration into the system, allowing the malware to intercept and manipulate system calls, thereby evading detection. In the case of Auto-Color, this capability was used to hide its C2 connections by modifying the /proc/net/tcp file.
It's interesting that the Auto-Color backdoor was used to target both government organizations and universities, as these are different types of targets that offer different potential value. By compromising government entities, threat actors can potentially access sensitive information, posing a significant security threat. Universities, while not typically primary targets for intelligence gathering, offer high-bandwidth and stable platforms that threat actors can leverage to conduct or proxy further attacks.
Unfortunately, it’s unclear as to how the Auto-Color backdoor is making its way on to the targeted devices. It’s possible that it’s as simple as phishing or drive by downloads, however, vulnerabilities have been widely used to deploy backdoors like Auto-Color before, particularly in Linux environments. A great example is CVE-2021-44228, a Remote Code Execution vulnerability in Log4j known as Log4Shell, which was leveraged by multiple threat actors to deploy Linux backdoors, crypto miners, and C2 implants.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for emerging threats like the Auto-Color backdoor. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these state-sponsored cyber actors pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
To help mitigate threats like Auto-Color, Field Effect recommends that administrators enforce least privilege access, restricting root permissions and monitoring for unauthorized modifications to ld.preload and system libraries. Additionally, regular patching and vulnerability management are crucial to prevent exploitation of known Linux flaws. Finally, network traffic analysis should be implemented to detect and block command-and-control (C2) traffic, reducing the risk of persistence and lateral movement.
