Threat actors recently tried to exploit a freshly patched max-severity SAP Netweaver flaw to deploy a persistent Linux remote access trojan (RAT) “Auto-Color.”

According to a Darktrace report, a recent attack abused the flaw to set up a stealthy advanced-stage compromise but was shortly contained by its “autonomous response.”

“In April 2025, Darktrace identified an Auto-Color backdoor malware attack taking place on the network of a US-based chemicals company,” Darktrace said in a blog post shared with CSO ahead of its publication on Tuesday. “After Darktrace successfully blocked the malicious activity and contained the attack, the Darktrace Threat Research team conducted a deeper investigation into the malware, (revealing) that the threat actor had exploited CVE-2025-31324 to deploy Auto-Color as part of a multi-stage attack.”

Darktrace confirmed it as the first observed pairing of SAP NetWeaver exploitation with Auto-Color malware. Previously, the flaw was reported to have been likely exploited in zero-day attacks to install JSP web shells on SAP servers.

Frankie Sclafani, director of cybersecurity enablement at Deepwatch, said the finding warrants immediate attention from organizations. “The dangerous convergence of a critical SAP vulnerability with the elusive Auto-Color backdoor malware to target critical infrastructure signals a disturbing new chapter in cyber threats,” he added. “The security community should proactively monitor for this activity and foster collaborative intelligence sharing to further understand and counter the threat actor’s methods.”

Novel SAP exploit-malware pairing 

Exploitation of SAP’s critical CVE-2025-31324 vulnerability enables malicious actors to upload files to the SAP Netweaver application server, potentially leading to remote code execution (RCE) and full system compromise.

In this case, attackers exploited the flaw — disclosed just days earlier — to deliver an executable and linkable format (ELF) payload onto an internet-facing NetWeaver server. Once installed, the malware adapts to user privileges. With root access, it implants a malicious library “libcext.so.2” and hides under system-like directories. Without root, it keeps a low profile while still trying to reach its C2 servers over TLS.

Auto-Color, first seen in 2024, targets Linux systems through techniques like shared object injection and ‘ld.so.preload’ persistence. Each sample carries a unique file and encrypted C2 configuration, making it hard to detect.

Jonathan Stross, SAP security analyst at Pathlock, said the attack highlights the need to fold SAP defenses into core IT operations. “CVE-2025-31324 is a wake-up call for every organization running SAP,” he said. “Addressing threats, like Auto-Color backdoor malware, requires cross-departmental collaboration. SAP teams, IT operations, and security must work together, share expertise, and ensure SAP systems are not treated as siloed assets.”

Auto-Color is named so for renaming itself, after execution, to “/var/log/cross/auto-color/.” The RAT typically hooks and overrides core system functions while maintaining persistence.

The attack stopped in its tracks

Darktrace analysts detected the suspicious ELF download and a flurry of odd DNS and SSL connections to known malicious infrastructure. The British cybersecurity outfit claims its “Autonomous Response” intervened within minutes, restricting the device to its usual, legitimate activities while analysts investigated unusual behavior.

Darktrace researchers said the malware stalled when it couldn’t reach its C2, revealing a built-in suppression tactic to evade sandbox analysis. Containment actions were extended for 24 hours, giving the customer time to remediate.

The CVSS 10.0 SAP Netweaver flaw received a patch from the company in April, which was rolled out to customers in SAP Security Note 3594142, accessible only through authentication. Those who couldn’t immediately apply the patch were advised to disable or prevent access to the vulnerable component by following instructions in SAP note 3596125. SAP did not immediately respond to CSO’s request for comments on this discovery. Sclafani recommended a list of measures for security teams, including immediate patching of the flaw, enhancing anomaly and lateral movement detection, implementing network segmentation and zero-trust, and investing in AI-powered autonomous response.

More SAP security news:

>

By

Leave a Reply

Your email address will not be published. Required fields are marked *