CTI Roundup: Auto-Color Malware, Vulnerable Windows Driver, and Lotus Blossom

In this week’s roundup, CTI examines a new Linux malware called Auto-color that targets organizations across North America and Asia. Next, CTI investigates an ongoing campaign that leverages a vulnerable Windows driver to deliver Gh0st RAT malware. Finally, CTI explores several espionage campaigns linked to a threat actor known as Lotus Blossom.

Auto-color Linux malware grants full remote access

Researchers at Palo Alto have uncovered a new Linux malware that researchers are calling Auto-color.

The malware, which was observed targeting organizations across North America and Asia, gives threat actors full remote access to infected machines.

The malware most notably uses benign-looking file names, hides its remote C2 connections, and uses a proprietary encryption algorithm to evade detection further.

Who does Auto-color Linux malware target?

Palo Alto first observed a sample of this malware in November 2024, with the most recent sample observed in December 2024. Palo Alto has observed this malware family targeting universities and government offices.

Researchers have yet to determine how the malware reaches its victims. However, Palo Alto determined that the file is designed to be run explicitly by the victim on Linux machines.

How does Auto-color malware work?

The malware will use a different file name for each target it is deployed to. As noted, it uses benign-looking file names like “door” or “egg.” The hash is different for each file because the Auto-color creator chose to “statically compile the encrypted C2 configuration payload into each malware sample.”

When the malware runs on a machine, it will check to determine if the executable is, in fact, Auto-color. If the file name is not Auto-color, it will run the installation phase “for an evasive library implant located within the executable itself.”

The malware will only proceed with its routine if it has the necessary root privileges and, if so, will install a malicious library implant that mimics the legitimate C utility library.

Auto-color will copy and rename itself to “/var/log/cross/auto-color” before installing the library implant and writing the malicious library file as “ld.preload” into a standard file on Linux systems.

As Palo Alto notes, libraries in “ld.preload” will load first, enabling a malicious library loaded later to override some of these core libraries.

Before the core malware execution phase, the malware must decrypt the payload to determine what remote attacker servers it must connect to. To get this payload, it will either read a specific file or grab it from the .data section of that file if the first option was not successful.

The payload’s encryption is a version of a stream cipher. Palo Alto analyzed the payload and found it consisted of three main components:

1. The size of the encrypted block
2. The ciphertext
3. The key itself

The final payload, when decrypted, contains the true targets that the malware must connect to.

Once the malware connects to the threat actor, it will initiate a handshake and wait for commands to be executed. The payloads have a unique structure for an associated specific API command based on the command ID.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The most recent sample of Auto-color was observed in December 2024. As a result, it’s unclear if this is still an active threat that’s gone undetected or if it’s truly died down.

Interestingly, this malware uses a different file for each target with a different name and hash, making detection based purely on these indicators somewhat unhelpful. This is a reminder that relying solely on these indicators is not enough, and having detections for specific tactics may be more fruitful.

[Read also: Seeing is believing: How enterprises are using AI to improve cybersecurity]

Threat actors exploit Truesight.sys in new malware campaign

Check Point recently identified an ongoing malware campaign leveraging a vulnerable Windows driver, Truesight.sys, to deliver the Gh0st RAT malware.

The research uncovered thousands of first-stage malicious samples that were deploying an EDR/AV killer module.

Background and key findings

Check Point began the research in an effort to identify the abuse of drivers not known to be vulnerable, which, as you can imagine, is much more challenging than hunting for those known to be vulnerable. The research led to the discovery of a large and ongoing malware campaign.

[Read also: What is threat hunting? An overview with real-world example]

At first glance, one of the samples seemed to be dropping a known vulnerable driver named “Truesight.sys.” The researchers realized that this was not merely another vulnerable Truesight driver. They found that the samples dropped the same version of the vulnerable Truesight driver, but the hashes differed. This indicated that the attacker likely modified the driver just enough to alter the file hash but not enough to change the digital signature.

What researchers determined:

• These actors are using infrastructure from the China region of a public cloud. This infrastructure hosts payloads and the C2 servers.
• Approximately 75% of the victims are thought to be in China.
• The samples that act as downloaders were observed disguising themselves as well-known applications and were delivered via phishing.

Technical details

This campaign’s earliest detected initial stage sample is from June 2024, where it exploited the vulnerable version of the original legacy driver. Shortly after, these initial stage samples started exploiting the driver’s variants instead of the original driver.

Check Point separated the initial infection into three phases, including:

1. Downloading the second stage and encrypted payloads
2. Loading the payloads and downloading stage three and its encrypted payloads
3. Loading the stage three payloads and deploying the EDR/AV killer module in-memory

It ultimately ends with the deployment and execution of Gh0st RAT.

Check Point’s report details the legacy Truesight driver. Further, all the samples Check Point investigated resulted in the deployment of Gh0st RAT — specifically, a variant known as HiddenGh0st.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Based on Check Point’s research, it’s clear that threat actors are increasingly exploiting vulnerable drivers. While hunting for known vulnerable driver instances can often be simple, this particular attack involving the Truesight driver would have bypassed detections that relied on known hashes, among other methods.

As Check Point calls out, moving to an approach that “blocks drivers based on attributes beyond just hashes […] is critical for improving detection and protection.”

[Read also: Can we really ‘ignore’ GenAI’s vulnerable code? This security pro says yes (sort of)]

Lotus Blossom threatens multiple industries

Cisco Talos discovered multiple espionage campaigns involving Lotus Blossom, a group operating since at least 2012.

Recent attacks, which deliver the Sagerunex backdoor and other hacking tools, target several industries, including manufacturing, government, telecommunications, and media. The actor also created new variants of their signature backdoor that abuses third-party cloud services for C2. Cisco Talos notes that the recent campaign seems to have achieved significant success while primarily targeting victims in the Philippines, Vietnam, Hong Kong, and Taiwan.

The researchers also discovered new variants of Lotus Blossom’s Sagerunex backdoor. Instead of relying on virtual private servers for the C2, these new variants use third-party cloud services, including Dropbox, Twitter, and Zimbra.

What tools are used in the Lotus Blossom attack chain?

Cisco Talos found that this group uses a wide range of tools, including open-source tools and others, such as a cookie stealer, the Venom proxy tool, an adjust privilege tool, an archiving tool, a port relay tool, and a RAR tool. The report provides more details on each of these tools.

[Read also: What is access control in security? An in-depth guide to types and best practices]

The group was commonly observed leveraging the Impacket tool to execute remote commands. After successfully gaining access to the network, the actor works through multiple stages, starting with reconnaissance. Then, the actor will confirm the device can connect to the internet and, if not, will use various tools to link the device to internet accessible systems. The actor was also observed deploying the backdoor and different hacking tools within the “publicpictures” subfolder before installing the Sagerunex backdoor.

How Sagerunex gets installed

Cisco Talos identified multiple variants of the Sagerunex backdoor by examining the loader code. When the backdoor executes, it performs verification checks to ensure it can proceed. Each variant has its time-check logic, determining whether it should run immediately or delay execution. A shared feature between all the identified variants is the proxy configuration.

Cisco Talos identified several variants, including a Beta version, Dropbox and Twitter versions, and a Zimbra version. The report details the Beta, Dropbox, and Twitter versions.

Zimbra, the most recent version, uses the Zimbra API to connect to the service, which is then used as a C2 channel for the campaign. This version will use the Zimbra URL, username, and password to get the appropriate authentication token. It can then use the token to sync folders and documents.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Like many other actors, Lotus Blossom has shifted to rely more on legitimate services like Dropbox, Twitter, and Zimbra to evade detection. This is a common trend in which actors purposely abuse services that will blend in with normal business traffic.

Cisco Talos’ timeline of the different Sagerunex variants indicates that the actor started abusing legitimate services in 2018, before the larger surge in the past few years.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.