A new Linux backdoor is hitting US universities and governments

News
By
published

Auto-color granted its operators full access to compromised endpoints

Close up of the Linux penguin.
(Image credit: Linux)
  • Unit 42 spots a new Linux malware
  • Auto-color can grant the attackers full access to compromised endpoints
  • Initial infection vector is unknown, but universities and governments hit

Universities and government offices in North America and Asia are being targeted by a brand new Linux backdoor called “Auto-color”, experts have claimed.

Cybersecurity researchers from Palo Alto Networks' Unit 42 revealed in early November 2024, it came across a backdoor which was relatively difficult to spot, and impossible to remove without specialized software.

The backdoor was capable of opening a reverse shell to give the attackers full remote access, running arbitrary commands on the target system, tampering with local files, acting as a proxy, or dynamically modifying its configuration. The malware also comes with a kill switch, which allows the threat actors to remove all evidence of compromise and thus make analysis and forensics more difficult.

Dangerous threat

Given its advanced obfuscation features, and an extensive list of dangerous capabilities, Auto-color was described as a very dangerous threat. However, Unit 42 could not attribute it to any known threat actor, nor did it want to discuss the victims in more detail. Therefore, we don’t know how many organizations were infected, nor what the end goal of the campaign is.

What’s also unknown is how the victims got infected in the first place. Unit 42 says the initial infection vector is unknown, but added it has to start with the victim executing a file on the target system. The file usually has a benign name, such as “door”, “log”, or “egg”.

Linux malware is becoming more sophisticated and widespread due to increased Linux adoption in cloud computing, enterprise servers, and IoT devices. Cybercriminals are shifting focus from traditional Windows targets to include Linux environments, exploiting misconfigurations, unpatched vulnerabilities, and weak security practices.

The rise of malware-as-a-service (MaaS) and automated attack tools also makes Linux-based threats more effective, as well.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
A hand laying out a password

Microsoft fixes concerning issue with its Entra ID authentication tool
An abstract image of digital security.

Hundreds of GitHub repositories hijacked to trick users into downloading malware
Alyssa Thompson #7 of USA looking for an open teammate during the SheBelieves Cup game between Australia and USWNT at State Farm Stadium on February 23, 2025 in Glendale, Arizona.

USA vs Japan Women live stream: how to watch SheBelieves Cup 2025 online, TV channel, kick-off time
See more latest