Hackers Target SAP NetWeaver to Deploy New Auto-Color Linux Malware

Cybersecurity researchers at Darktrace have uncovered a sophisticated attack targeting a US-based chemicals company, marking the first observed instance of threat actors exploiting SAP NetWeaver vulnerabilities to deploy Auto-Color backdoor malware.

The incident, which occurred over three days in April 2025, demonstrates an alarming evolution in cyber attack tactics combining enterprise software exploitation with advanced Linux malware.

Critical Vulnerability Exploitation

The attack leveraged CVE-2025-31324, a critical vulnerability in SAP NetWeaver disclosed on April 24, 2025.

This security flaw enables malicious actors to upload files to SAP NetWeaver application servers, potentially leading to remote code execution and complete system compromise.

Despite urgent disclosure from SAP SE, the vulnerability has been actively exploited across multiple systems since its revelation.

The threat actor initiated reconnaissance on April 25, probing the target’s internet-facing systems with suspicious URI patterns containing “/developmentserver/metadatauploader.”

Active exploitation began two days later when attackers successfully downloaded a ZIP file and established initial access through DNS tunneling techniques.

Auto-Color, a Remote Access Trojan (RAT) first observed in November 2024, derives its name from renaming itself to “/var/log/cross/auto-color” after execution.

Alerts from the device’s Model Alert Log showing possible DNS tunnelling requests to ‘request bin’ services.

The malware primarily targets Linux systems at universities and government institutions across the United States and Asia, employing sophisticated evasion techniques including shared object injection through ld.so.preload manipulation.

The malware’s behavior adapts based on user privilege levels. When executed with root access, Auto-Color installs a malicious shared object library (libcext.so.2) masquerading as legitimate system components.

It achieves persistence by modifying /etc/ld.so.preload, ensuring the malicious library loads before legitimate ones across all dynamically linked executables.

Darktrace researchers discovered that Auto-Color employs sophisticated suppression tactics to evade detection.

The malware requires successful communication with its command-and-control (C2) server over port 443 to activate its full capabilities.

If C2 connectivity fails, the malware deliberately suppresses malicious behavior, appearing benign during analysis or in sandboxed environments.

“This ensures that in air-gapped or sandboxed environments, security analysts may be unable to observe or analyze the malware’s full capabilities,” according to Darktrace’s investigation report.

Darktrace’s Security Operations Centre detected the initial compromise through anomalous ELF file downloads on April 28.

The platform’s Autonomous Response capability immediately enforced a “pattern of life” restriction on the compromised device, preventing deviation from normal operations while maintaining business continuity.

Throughout the attack, the threat actor downloaded seven malicious files and attempted connections to infrastructure associated with Supershell, a C2 platform linked to China-affiliated threat groups.

Darktrace’s intervention successfully blocked malicious connections, preventing the malware from completing its kill chain and establishing persistent access.

The incident underscores the critical importance of addressing high-severity vulnerabilities promptly, as they serve as gateways for more sophisticated and persistent threats within enterprise networks.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!