<— Back

The Open doorX : From Directory Listing to Attribution

In July 2024, during the course of our threat research, we identified an interesting web server with directory listing enabled. Among the available files, we discovered an ELF binary named “doorX”, which became the subject of our investigation. This sample was later recognised as part of a malware family that came to be widely known as “Auto-Color”.

In this presentation, we will begin by analyzing the doorX malware, outlining its functions and key characteristics. Particular emphasis will be placed on its techniques for evading detection and hindering analysis – including its implementation of covert communications and encrypted traffic.

We will then share our findings about the web server where doorX was discovered, focusing on the files hosted there. Of particular interest was the presence of ShadowPad, a well-known modular backdoor. We will provide a brief overview of both the loader and main component of ShadowPad that we identified on the server. Finally, we will examine advanced attack groups that use doorX, including various elements such as ShadowPad. We believe this is the first time that publicly available information has mentioned APT actors related to doorX.

By the end of this talk, attendees will gain a detailed understanding of doorX’s behaviour and operational context, and will be better informed about the actor using it. This knowledge will help SOC, IR, and CSIRT professionals to develop effective countermeasures against malware campaigns involving doorX.