A new Linux backdoor is hitting US universities and governments

(Image credit: Linux)

Unit 42 spots a new Linux malware
Auto-color can grant the attackers full access to compromised endpoints
Initial infection vector is unknown, but universities and governments hit

Universities and government offices in North America and Asia are being targeted by a brand new Linux backdoor called “Auto-color”, experts have claimed.

Cybersecurity researchers from Palo Alto Networks' Unit 42 revealed in early November 2024, it came across a backdoor which was relatively difficult to spot, and impossible to remove without specialized software.

The backdoor was capable of opening a reverse shell to give the attackers full remote access, running arbitrary commands on the target system, tampering with local files, acting as a proxy, or dynamically modifying its configuration. The malware also comes with a kill switch, which allows the threat actors to remove all evidence of compromise and thus make analysis and forensics more difficult.

Dangerous threat

Given its advanced obfuscation features, and an extensive list of dangerous capabilities, Auto-color was described as a very dangerous threat. However, Unit 42 could not attribute it to any known threat actor, nor did it want to discuss the victims in more detail. Therefore, we don’t know how many organizations were infected, nor what the end goal of the campaign is.

What’s also unknown is how the victims got infected in the first place. Unit 42 says the initial infection vector is unknown, but added it has to start with the victim executing a file on the target system. The file usually has a benign name, such as “door”, “log”, or “egg”.

Linux malware is becoming more sophisticated and widespread due to increased Linux adoption in cloud computing, enterprise servers, and IoT devices. Cybercriminals are shifting focus from traditional Windows targets to include Linux environments, exploiting misconfigurations, unpatched vulnerabilities, and weak security practices.

The rise of malware-as-a-service (MaaS) and automated attack tools also makes Linux-based threats more effective, as well.

Via BleepingComputer

Linux devices hit with even more new malware, this time from Chinese hackers
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.