A sophisticated cyberattack targeting a US-based chemicals company has revealed the first observed pairing of SAP NetWeaver exploitation with Auto-Color malware<\/a>, demonstrating how threat actors are leveraging critical vulnerabilities to deploy advanced persistent threats on Linux systems.\u00a0<\/p>\n In April 2025, cybersecurity firm Darktrace successfully detected and contained an attack that exploited CVE-2025-31324, a critical vulnerability in SAP NetWeaver, to deploy the stealthy Auto-Color backdoor malware over three days.<\/p>\n The attack began with the exploitation of CVE-2025-31324<\/a>, a critical vulnerability disclosed by SAP SE on April 24, 2025, that affects SAP NetWeaver application servers.\u00a0<\/p>\n This vulnerability enables malicious actors to upload files to the server, potentially leading to remote code execution and full system compromise.\u00a0<\/p>\n Threat actors conducted reconnaissance activities starting April 25, scanning for the vulnerability using URIs containing \/developmentserver\/metadatauploader before launching the full attack two days later.<\/p>\n The initial compromise occurred through a ZIP file download from a malicious IP address 91.193.19[.]109, accompanied by DNS tunneling requests to Out-of-Band Application Security Testing<\/a> (OAST) domains such as aaaaaaaaaaaa[.]d06oojugfd4n58p4tj201hmy54tnq4rak[.]oast[.]me.\u00a0<\/p>\n The attackers then executed a shell script named config.sh via the helper.jsp file, establishing connections to C2 infrastructure at 47.97.42[.]177 over port 3232, an endpoint associated with Supershell, a command-and-control platform linked to China-affiliated threat groups.<\/p>\n The Auto-Color backdoor malware, named after its ability to rename itself to \/var\/log\/cross\/auto-color after execution, represents a sophisticated Remote Access Trojan (RAT)<\/a> that has primarily targeted universities and government institutions since November 2024.\u00a0<\/p>\n The malware demonstrates adaptive behavior based on privilege levels, with limited functionality when executed without root privileges to avoid detection in restricted environments.<\/p>\n When executed with root privileges, Auto-Color performs invasive installation procedures, deploying a malicious shared object libcext.so.2 that masquerades as a legitimate C utility library.\u00a0<\/p>\n The malware achieves persistence through ld.so.preload manipulation, modifying or creating \/etc\/ld.so.preload to insert references to the malicious library.\u00a0<\/p>\n This technique ensures the malware loads before other libraries when executing dynamically linked programs, enabling it to hook and override standard system functions across applications.<\/p>\n The successful intervention by Darktrace\u2019s Managed Detection and Response service, which extended Autonomous Response actions for an additional 24 hours, provided crucial time for the customer\u2019s security team to investigate and remediate the threat.\u00a0<\/p>\n The attack underscores the urgent need for organizations using SAP NetWeaver<\/a> to immediately apply security patches, as threat actors continue to exploit this critical vulnerability across multiple systems.<\/p>\n The post Hackers Exploiting SAP NetWeaver Vulnerability to Deploy Auto-Color Linux Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/mark><\/strong>
1. CVE-2025-31324 SAP NetWeaver attack deployed Auto-Color malware.
2. Auto-Color uses Linux manipulation and adaptive evasion techniques.
3. Darktrace prevented malware activation and C2 communication.<\/pre>\n\n\u00a0SAP NetWeaver Vulnerability<\/strong> Exploited<\/strong>
\n<\/h2>\n![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdAYuzz4nIjeykFhdbmS0tzs2JoJCLVvLCgm64Bd0E4rNp0NOMgRGxFmKsOlHCcFkCDJoVVTFGc14ne8zgL5Q9nOmmtsnvDOcyEGCm2u7jqXu_wlp1bs-56LSLKgdPh-QzquM2WmA?key=wFwiw10x-fh6l551shfwQg\")
Auto-Color Malware Persistence Techniques<\/strong><\/h2>\n
Integrate ANY.RUN TI Lookup<\/strong> with your SIEM or SOAR To Analyses Advanced Threats<\/strong> -> Try 50 Free Trial Searches<\/a> <\/strong><\/code><\/p>\n