Autocolor Malware Analysis

Autocolor Malware

  • Discovered November 5th, 2024, by security researchers.

  • Program name: Egg Curious (also referred to as "egg" or "door").

  • Purpose: Spy on universities and government institutions in North America and Asia.

  • Type: Sophisticated Linux backdoor, designed to be stealthy.

Initial Execution

  • Upon running, the "egg" file vanishes without a trace (no error messages or logs).

  • Researchers at Palo Alto Networks' Unit 42 discovered another executable named Autocolor.

  • Autocolor lurks in an unusual directory.

  • Autocolor runs silently without immediately obvious signs of infection (e.g., high CPU usage or suspicious network connections).

Malware Analysis Insights

  • Malgam 12 on Twitter provided a clean version of the malware sample & the decryption script.

Execution Flow

  • Checks its name: If Autocolor, proceeds to configuration.

  • If named "egg" or "door," it checks for root privileges.

  • With root privileges, it performs a full installation with stealth capabilities.

Stealth Mechanism

  • Installs a malicious shared library, posing as a legitimate system library.

  • Modifies /etc/ld.so.preload to force the OS to load the malicious library before others.

  • This enables the malware to act as a man-in-the-middle, intercepting and faking critical system functions.

Communication

  • Needs to contact a command server.

  • Two methods to find the server address:

    • Checks for a tiny config file (8 bytes) in a directory (root access: this directory, otherwise in the temporal directory).

    • If the file is not found, it retrieves the address from its data section.

  • Server address is encrypted using a basic XOR operation, followed by subtraction on a rotating 4-byte key.

Hiding Network Activity

  • Intercepts reads to /proc/net/tcp to hide network connections from monitoring tools.

  • Filters out any evidence of its own connections before displaying the data.

  • Example:

    • Original /proc/net/tcp contents are modified before being shown.

    • The malware overwrites the "SL" column with the index number due to improper formatting, leaving a clue.

Persistence

  • Prevents removal by silently failing attempts to modify the /etc/ld.so.preload entry.

Potential Deployment Methods

  • Manual deployment (targeted attack).

  • Compromised credentials (stolen SSH keys, phishing).

  • Supply chain attack (hijacking common software).

Sneak

  • Sponsor of the video.

  • Helps identify security flaws in dependencies.

Key Takeaways

  • The most dangerous threats are often silent and unnoticed.

  • Keep systems updated.

  • Monitor for unusual processes or network connections.

  • Stay informed about current security threats.

  • Further details can be found in Unit 42's discovery blog post.