Source: www.infosecurity-magazine.com – Author:
A new backdoor malware campaign targeting Linux systems and exploiting a critical vulnerability in SAP has been uncovered by cybersecurity researchers.
The malware, known as Auto-Color, was deployed in a targeted intrusion against a US-based chemicals company in April 2025.
Threat Exploits SAP NetWeaver Vulnerability
According to an advisory published by Darktrace on July 29, the attack began when a threat actor exploited CVE-2025-31324, a critical flaw in SAP NetWeaver that allows remote file uploads and potential system compromise. Despite SAP disclosing the vulnerability on April 24, threat actors quickly moved to weaponize it.
Jason Soroko, senior fellow at Sectigo said, “Organizations running SAP NetWeaver need to recognize that the Visual Composer Metadata Uploader flaw CVE-2025-31324 is now weaponized in the wild and that adversaries are using it to plant the Auto Color remote access trojan on Linux hosts.”
Using a ZIP file delivered through a malicious URI, the attacker initiated the intrusion on April 27. Darktrace detected signs of DNS tunneling and suspicious inbound connections, including downloads from known malicious infrastructure. Within 24 hours, the malware Auto-Color was delivered via an ELF file retrieved from a remote server.
“Darktrace’s thorough analysis and findings reveal the first documented case of threat actors exploiting the critical SAP NetWeaver vulnerability […] to deploy Auto-Color backdoor malware,” said Frankie Sclafani, director of cybersecurity enablement, Deepwatch. “This finding represents a significant escalation in multi-stage attack sophistication and warrants immediate attention from organizations.”
How Auto-Color Operates and Evades Detection
Auto-Color functions as a Remote Access Trojan (RAT), capable of adapting its behavior based on system privileges. When run with root access, it installs a disguised shared object library, libcext.so.2, through preload manipulation, an advanced Linux persistence method.
“The exploit requires no authentication and lets attackers upload helper scripts that pull an ELF payload which renames itself to /var/log/cross/auto-color,” Soroko added, “and persists by adding a fake library called libcext.so.2 to ld.so.preload.”
Once embedded, exploit renames itself to mimic log files and obscure its presence. Its activity hinges on establishing an outbound connection over TLS to a hardcoded command-and-control (C2) server. If the C2 server is unreachable, the malware suppresses most behavior, appearing dormant to evade detection in sandboxed or offline environments.
“CVE-2025-31324 is a wake-up call for every organization running SAP,” said Jonathan Stross, SAP security analyst at Pathlock. “Darktrace’s detailed research highlights how creatively and effectively attackers can leverage known vulnerabilities to advance along the cyber kill chain.”
Key characteristics of Auto-Color include:
-
Privilege-aware execution paths
-
Preload-based persistence using ld.so.preload
-
Static, encrypted configuration embedded at compile time
-
A modular C2 command set with capabilities like reverse shell, file execution and kill switch
Darktrace stated that its Autonomous Response blocked outbound connections to the malware’s command-and-control (C2) infrastructure, preventing the malware from progressing beyond its initial installation.
“This is a clear example of why SAP security must be integrated into broader IT security operations,” Stross explained. “Traditional SAP Basis teams often lack the experience dealing with RATs […] SAP teams, IT operations and security must work together.”
Original Post URL: https://www.infosecurity-magazine.com/news/auto-color-backdoor-exploits-sap/
Category & Tags: –
Views: 5
