Threat officials have been observed to exploit the currently patched critical SAP NetWeaver flaws to deliver auto-collar backdoors in an attack targeting US-based chemical companies in April 2025.
“For three days, threat actors have accessed their clients’ networks, attempted to download some suspicious files, and communicated with malicious infrastructure linked to automatic color malware,” Darktrace said in a report they share with Hacker News.
The vulnerability in question is CVE-2025-31324. This is a severe, unauthenticated file upload bug in SAP NetWeaver that enables Remote Code Execution (RCE). The patch was applied by SAP in April.
Auto-Color was first documented by Palo Alto Networks Unit 42 in early February this year and works similar to a remote access trojan, allowing remote access to compromised Linux hosts. It was observed in attacks targeting universities and government organizations in North America and Asia from November to December 2024.
Malware has been known to hide malicious behavior if it cannot connect to a command and control (C2) server. This indicates that threat actors are trying to avoid detection by giving the impression that they are benign.
It supports a variety of functions, including reverse shell, creating and running files, system proxy configuration, global payload operations, system profiling, and even self-fusion when a kill switch is triggered.
The incident detected by DarkTrace took place on April 28th, when it was warned of suspicious ELF binaries downloads on an internet exposed machine that is likely to run SAP NetWeaver. That said, the first signs of scanning activity are said to have occurred at least three days ago.
“CVE-2025-31324 has launched a second-stage attack that was leveraged in this case and involves compromised devices for the Internet and downloading ELF files representing automatic colored malware,” the company said.
“From the initial intrusion to the failure to establish C2 communications, automatic color malware has demonstrated a clear understanding of Linux internally, demonstrating calculated constraints designed to minimize exposure and reduce the risk of detection.”
Source link
