Hackers Target SAP NetWeaver Flaw to Spread Linux Auto-Color Malware
▼ Summary
– Hackers exploited the critical SAP NetWeaver vulnerability CVE-2025-31324 to deploy Auto-Color Linux malware in a cyberattack on a U.S. chemicals company.
– Darktrace discovered the attack in April 2025, noting Auto-Color had evolved with advanced evasion tactics, including suppressing malicious behavior if its C2 server is unreachable.
– Auto-Color, first documented in February 2025, features capabilities like remote access, file modification, and a rootkit module to hide malicious activities.
– The malware exploits CVE-2025-31324 for remote code execution, with SAP patching the flaw in April 2025, but exploitation attempts continued by ransomware actors and state hackers.
– Administrators are urged to apply SAP security updates promptly, as Auto-Color’s evasion techniques make it difficult to detect and reverse-engineer.
Cybersecurity experts have uncovered a sophisticated attack campaign exploiting a critical SAP NetWeaver vulnerability to deploy the elusive Auto-Color malware on Linux systems. The breach targeted a U.S. chemical firm, marking a significant escalation in the malware’s capabilities and evasion techniques.
Darktrace’s incident response team detected the intrusion in late April 2025, tracing the attack to CVE-2025-31324, a flaw allowing unauthenticated attackers to upload malicious binaries for remote code execution. The malware, delivered via an ELF executable, exhibited advanced behaviors tailored to bypass detection.
First identified by Palo Alto Networks’ Unit 42 in early 2025, Auto-Color has since evolved into a formidable threat. It adapts its actions based on user privileges and employs stealthy persistence methods like shared object injection through ld.so.preload. The malware’s toolkit includes remote command execution, file manipulation, reverse shells, and a rootkit module to conceal its activities from security software.
What makes this latest variant particularly dangerous is its ability to remain dormant when disconnected from its command-and-control (C2) server. In sandboxed or isolated environments, the malware deactivates most malicious functions, appearing harmless to analysts. This sophisticated evasion tactic complicates reverse engineering efforts, hiding its full capabilities until it establishes a live connection.
The attack timeline reveals rapid exploitation following SAP’s patch release in April 2025. Within days, multiple threat groups, including ransomware operators and suspected Chinese state-sponsored actors, began leveraging the vulnerability. Mandiant’s findings suggest zero-day exploitation may have started as early as March 2025, underscoring the urgency for organizations to apply patches.
Security teams recommend immediate action to mitigate risks. Administrators should prioritize applying SAP’s updates and monitor for unusual network activity, particularly in environments running NetWeaver. The malware’s dynamic configuration updates and kill switch mechanism further emphasize the need for layered defenses, including endpoint detection and network traffic analysis.
As Auto-Color continues to evolve, its combination of stealth, adaptability, and exploitation of unpatched systems poses a persistent challenge for defenders. Proactive measures and threat intelligence sharing remain critical in countering this advanced threat.
(Source: Bleeping Computer)
