{"id":4151,"date":"2025-07-29T12:32:25","date_gmt":"2025-07-29T12:32:25","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4151"},"modified":"2025-07-29T12:32:25","modified_gmt":"2025-07-29T12:32:25","slug":"auto-color-rat-targets-sap-netweaver-bug-in-an-advanced-cyberattack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4151","title":{"rendered":"Auto-Color RAT targets SAP NetWeaver bug in an advanced cyberattack"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Threat actors recently tried to exploit a freshly patched max-severity SAP Netweaver flaw to deploy a persistent Linux remote access trojan (RAT<\/a>) \u201cAuto-Color.\u201d<\/p>\n

According to a Darktrace report, a recent attack abused the flaw to set up a stealthy advanced-stage compromise but was shortly contained by its \u201cautonomous response.\u201d<\/p>\n

\u201cIn April 2025, Darktrace identified an Auto-Color backdoor malware attack taking place on the network of a US-based chemicals company,\u201d Darktrace said in a blog post<\/a> shared with CSO ahead of its publication on Tuesday. \u201cAfter Darktrace successfully blocked the malicious activity and contained the attack, the Darktrace Threat Research team conducted a deeper investigation into the malware, (revealing) that the threat actor had exploited CVE-2025-31324 to deploy Auto-Color as part of a multi-stage attack.\u201d<\/p>\n

Darktrace confirmed it as the first observed pairing of SAP NetWeaver exploitation with Auto-Color malware. Previously, the flaw was reported to have been likely exploited in zero-day attacks<\/a> to install JSP web shells on SAP servers.<\/p>\n

Frankie Sclafani<\/a>, director of cybersecurity enablement at Deepwatch, said the finding warrants immediate attention from organizations. \u201cThe dangerous convergence of a critical SAP vulnerability with the elusive Auto-Color backdoor malware to target critical infrastructure signals a disturbing new chapter in cyber threats,\u201d he added. \u201cThe security community should proactively monitor for this activity and foster collaborative intelligence sharing to further understand and counter the threat actor\u2019s methods.\u201d<\/p>\n

<\/a>Novel SAP exploit-malware pairing\u00a0<\/h2>\n

Exploitation<\/a> of SAP\u2019s critical CVE-2025-31324 vulnerability enables malicious actors to upload files to the SAP Netweaver application server, potentially leading to remote code execution (RCE) and full system compromise.<\/p>\n

In this case, attackers exploited the flaw \u2014 disclosed just days earlier \u2014 to deliver an executable and linkable format (ELF) payload onto an internet-facing NetWeaver server. Once installed, the malware adapts to user privileges. With root access, it implants a malicious library \u201clibcext.so.2\u201d and hides under system-like directories. Without root, it keeps a low profile while still trying to reach its C2 servers over TLS.<\/p>\n

Auto-Color, first seen in 2024, targets Linux systems through techniques like shared object injection and \u2018ld.so.preload\u2019 persistence. Each sample carries a unique file and encrypted C2 configuration, making it hard to detect.<\/p>\n

Jonathan Stross<\/a>, SAP security analyst at Pathlock, said the attack highlights the need to fold SAP defenses into core IT operations. \u201cCVE-2025-31324 is a wake-up call for every organization running SAP,\u201d he said. \u201cAddressing threats, like Auto-Color backdoor malware, requires cross-departmental collaboration. SAP teams, IT operations, and security must work together, share expertise, and ensure SAP systems are not treated as siloed assets.\u201d<\/p>\n

Auto-Color is named so for renaming itself, after execution, to \u201c\/var\/log\/cross\/auto-color\/.\u201d The RAT typically hooks and overrides core system functions while maintaining persistence.<\/p>\n

The attack stopped in its tracks<\/h2>\n

Darktrace analysts detected the suspicious ELF download and a flurry of odd DNS<\/a> and SSL<\/a> connections to known malicious infrastructure. The British cybersecurity outfit claims its \u201cAutonomous Response\u201d intervened within minutes, restricting the device to its usual, legitimate activities while analysts investigated unusual behavior.<\/p>\n

Darktrace researchers said the malware stalled when it couldn\u2019t reach its C2, revealing a built-in suppression tactic to evade sandbox analysis. Containment actions were extended for 24 hours, giving the customer time to remediate.<\/p>\n

The CVSS 10.0 SAP Netweaver flaw<\/a> received a patch from the company in April, which was rolled out to customers in SAP Security Note 3594142, accessible only through authentication. Those who couldn\u2019t immediately apply the patch were advised to disable or prevent access to the vulnerable component by following instructions in SAP note 3596125. SAP did not immediately respond to CSO\u2019s request for comments on this discovery. Sclafani recommended a list of measures for security teams, including immediate patching of the flaw, enhancing anomaly and lateral movement detection, implementing network segmentation and zero-trust, and investing in AI-powered autonomous response.<\/p>\n

More SAP security news:<\/p>\n

SAP GUI flaws expose sensitive data via weak or no encryption<\/a><\/p>\n

SAP patches severe vulnerabilities in NetWeaver and Commerce apps<\/a><\/p>\n

SAP NetWeaver customers urged to deploy patch for critical zero-day vulnerability
<\/a><\/p>\n

><\/p><\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Threat actors recently tried to exploit a freshly patched max-severity SAP Netweaver flaw to deploy a persistent Linux remote access trojan (RAT) \u201cAuto-Color.\u201d According to a Darktrace report, a recent attack abused the flaw to set up a stealthy advanced-stage compromise but was shortly contained by its \u201cautonomous response.\u201d \u201cIn April 2025, Darktrace identified an […]<\/p>\n","protected":false},"author":0,"featured_media":4150,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4151","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4151"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4151"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4151\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4150"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}