Hackers Target SAP Vulnerability with Auto-Color Malware
In a recent incident, threat actors took advantage of a critical vulnerability in SAP NetWeaver to deploy the Auto-Color backdoor in an attack aimed at a chemicals company in the United States. This event, which occurred in April 2025, highlights the persistent threat posed by cybercriminals exploiting software weaknesses.
The SAP Vulnerability Explained
The specific flaw exploited in this attack is known as CVE-2025-31324, characterized as a serious unauthenticated file upload bug within SAP NetWeaver. This vulnerability allows for remote code execution (RCE), which means that attackers can run malicious code on the server without proper authorization. SAP addressed this weakness with a patch released in April, underscoring the critical need for organizations to apply security updates promptly to protect themselves from exploitation.
Attack Dynamics: A Three-Day Infiltration
According to a report from Darktrace, the intruder was able to access the chemicals company’s network over a span of three days. During this period, they attempted to download multiple suspicious files and communicated with servers associated with the Auto-Color malware. Darktrace’s findings reveal a structured approach by the threat actor, showcasing a tactical awareness of the tools and methods involved.
A Closer Look at Auto-Color
Auto-Color, which was first reported by Palo Alto Networks’ Unit 42 in early 2025, mimics the functionality of a remote access trojan (RAT). Its primary purpose is to facilitate remote access to compromised Linux systems. Prior to this incident, Auto-Color was observed engaging in attacks against universities and government entities across North America and Asia from November to December 2024.
Evasion Tactics of Auto-Color
One of the more sophisticated features of Auto-Color is its ability to conceal malicious activity. If it fails to establish a connection with its command-and-control (C2) server, the malware can mask its behavior, mimicking benign operations. This tactic is indicative of the threat actors’ intent to go undetected while spreading their payload.
Furthermore, Auto-Color is equipped with various functionalities, including:
- Reverse Shell Access: Enabling the attacker to gain control over the infected system.
- File Management: Capabilities for creating, executing, and manipulating files.
- System Profiling: Gathering information about the system’s architecture and configuration.
- Proxy Configuration: Setting up system proxy settings for covert operations.
- Self-Removal Mechanism: A built-in feature allowing it to delete itself if a kill switch is triggered.
Tracking the Intrusion
The incident was initially flagged by Darktrace on April 28, when an unusual download of an ELF binary was detected on a machine exposed to the internet, presumably running SAP NetWeaver. However, signs that scanning activities were underway were noticed three days earlier, indicating a prolonged pre-attack reconnaissance phase.
Darktrace reported that the CVE-2025-31324 vulnerability was leveraged to initiate a second stage of the assault. This phase involved the compromise of an internet-facing device, followed by the download of the ELF file that represented the malicious Auto-Color software.
From the initial breach to the thwarted attempt at establishing C2 communication, the behavior exhibited by Auto-Color revealed a deep understanding of Linux systems. The malware’s design appears meticulously calculated, aimed at minimizing exposure and reducing the likelihood of detection.
Mature awareness and prompt responses to emerging vulnerabilities, like the one in SAP NetWeaver, are essential for organizations in maintaining their cybersecurity posture. Understanding how these attacks unfold can empower companies to fortify their defenses against similar threats in the future.
