Hackers Exploiting SAP NetWeaver Vulnerability to Deploy Auto-Color Linux Malware

A sophisticated cyberattack targeting a US-based chemicals company has revealed the first observed pairing of SAP NetWeaver exploitation with Auto-Color malware, demonstrating how threat actors are leveraging critical vulnerabilities to deploy advanced persistent threats on Linux systems. 

In April 2025, cybersecurity firm Darktrace successfully detected and contained an attack that exploited CVE-2025-31324, a critical vulnerability in SAP NetWeaver, to deploy the stealthy Auto-Color backdoor malware over three days.

Key Takeaways
1. CVE-2025-31324 SAP NetWeaver attack deployed Auto-Color malware.
2. Auto-Color uses Linux manipulation and adaptive evasion techniques.
3. Darktrace prevented malware activation and C2 communication.

 SAP NetWeaver Vulnerability Exploited

The attack began with the exploitation of CVE-2025-31324, a critical vulnerability disclosed by SAP SE on April 24, 2025, that affects SAP NetWeaver application servers. 

This vulnerability enables malicious actors to upload files to the server, potentially leading to remote code execution and full system compromise. 

Threat actors conducted reconnaissance activities starting April 25, scanning for the vulnerability using URIs containing /developmentserver/metadatauploader before launching the full attack two days later.

The initial compromise occurred through a ZIP file download from a malicious IP address 91.193.19[.]109, accompanied by DNS tunneling requests to Out-of-Band Application Security Testing (OAST) domains such as aaaaaaaaaaaa[.]d06oojugfd4n58p4tj201hmy54tnq4rak[.]oast[.]me. 

The attackers then executed a shell script named config.sh via the helper.jsp file, establishing connections to C2 infrastructure at 47.97.42[.]177 over port 3232, an endpoint associated with Supershell, a command-and-control platform linked to China-affiliated threat groups.

Auto-Color Malware Persistence Techniques

The Auto-Color backdoor malware, named after its ability to rename itself to /var/log/cross/auto-color after execution, represents a sophisticated Remote Access Trojan (RAT) that has primarily targeted universities and government institutions since November 2024. 

The malware demonstrates adaptive behavior based on privilege levels, with limited functionality when executed without root privileges to avoid detection in restricted environments.

When executed with root privileges, Auto-Color performs invasive installation procedures, deploying a malicious shared object libcext.so.2 that masquerades as a legitimate C utility library. 

The malware achieves persistence through ld.so.preload manipulation, modifying or creating /etc/ld.so.preload to insert references to the malicious library. 

This technique ensures the malware loads before other libraries when executing dynamically linked programs, enabling it to hook and override standard system functions across applications.

The successful intervention by Darktrace’s Managed Detection and Response service, which extended Autonomous Response actions for an additional 24 hours, provided crucial time for the customer’s security team to investigate and remediate the threat. 

The attack underscores the urgent need for organizations using SAP NetWeaver to immediately apply security patches, as threat actors continue to exploit this critical vulnerability across multiple systems.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches