Auto-Color: An Emerging and Evasive Linux Backdoor

    Tuesday, February 25, 2025 In: Threat Research Print

    Date: 02/25/2025

    Severity: Medium

    Summary

    "Auto-Color: An Emerging and Evasive Linux Backdoor" refers to a new Linux malware discovered between November and December 2024. The malware, named after a file it renames itself upon installation, uses multiple evasion techniques, such as employing benign file names, hiding remote command and control (C2) connections, and utilizing proprietary encryption for communications. Once installed, Auto-color grants attackers full remote access, making it difficult to remove without specialized tools. The article explores the malware’s installation, evasion strategies, capabilities, and indicators of compromise (IoCs) to help users identify and defend against it.

    Indicators of Compromise (IOC) List

    IP Address

    146.70.41.178

    216.245.184.214

    146.70.87.67

    65.38.121.64

    206.189.149.191

    Hash

    270fc72074c697ba5921f7b61a6128b968ca6ccbf8906645e796cfc3072d4c43

65a84f6a9b4ccddcdae812ab8783938e3f4c12cfba670131b1a80395710c6fb4

83d50fcf97b0c1ec3de25b11684ca8db6f159c212f7ff50c92083ec5fbd3a633

a1b09720edcab4d396a53ec568fe6f4ab2851ad00c954255bf1a0c04a9d53d0a

bace40f886aac1bab03bf26f2f463ac418616bacc956ed97045b7c3072f02d6b

e1c86a578e8d0b272e2df2d6dd9033c842c7ab5b09cda72c588e0410dc3048f7

85a77f08fd66aeabc887cb7d4eb8362259afa9c3699a70e3b81efac9042bb255

bf503b5eb456f74187a17bb8c08bccc9b3d91a7f0f6fd50110540b051510d1ca

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    sha256hash IN (270fc72074c697ba5921f7b61a6128b968ca6ccbf8906645e796cfc3072d4c43,65a84f6a9b4ccddcdae812ab8783938e3f4c12cfba670131b1a80395710c6fb4,83d50fcf97b0c1ec3de25b11684ca8db6f159c212f7ff50c92083ec5fbd3a633,a1b09720edcab4d396a53ec568fe6f4ab2851ad00c954255bf1a0c04a9d53d0a,bace40f886aac1bab03bf26f2f463ac418616bacc956ed97045b7c3072f02d6b,e1c86a578e8d0b272e2df2d6dd9033c842c7ab5b09cda72c588e0410dc3048f7,85a77f08fd66aeabc887cb7d4eb8362259afa9c3699a70e3b81efac9042bb255,bf503b5eb456f74187a17bb8c08bccc9b3d91a7f0f6fd50110540b051510d1ca)

    Detection Query 2

    dstipaddress IN ("146.70.41.178","216.245.184.214","146.70.87.67","65.38.121.64","206.189.149.191") or ipaddress IN ("146.70.41.178","216.245.184.214","146.70.87.67","65.38.121.64","206.189.149.191") or publicipaddress IN ("146.70.41.178","216.245.184.214","146.70.87.67","65.38.121.64","206.189.149.191") or srcipaddress IN ("146.70.41.178","216.245.184.214","146.70.87.67","65.38.121.64","206.189.149.191")

    Reference:

    https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/


    Tags

    MalwareBackdoorLinux

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.