Auto-Color Backdoor
In a sophisticated cyberattack campaign targeting a U.S.-based chemicals company in April 2025, threat actors exploited a now-patched critical vulnerability in SAP NetWeaver to deploy the Auto-Color backdoor. The incident highlights the continued risks posed by unpatched systems and advanced malware threats aimed at high-value targets.
Table of Contents
Exploiting CVE-2025-31324: A Gateway to Remote Code Execution
At the core of the attack is CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver. This flaw allows remote code execution (RCE) and was patched by SAP in April 2025. Despite the fix, threat actors capitalized on unpatched systems to compromise a publicly exposed device. The attack unfolded over three days and included malicious file downloads and communication with infrastructure linked to the Auto-Color malware.
Auto-Color: A Stealthy and Sophisticated Backdoor
First analyzed in February 2025, Auto-Color functions similarly to a remote access trojan (RAT) designed to infect Linux environments. It has previously been seen in attacks targeting universities and government entities across North America and Asia between November and December 2024.
One of the most telling characteristics of Auto-Color is its ability to conceal its malicious behavior when it cannot reach its Command-and-Control (C2) server. This feature suggests a high degree of operational security and an intent to avoid detection during incident response or sandbox analysis.
Key Capabilities of Auto-Color
Auto-Color offers a comprehensive suite of malicious features designed to provide deep control over compromised systems. These include:
- Reverse shell capabilities
- File creation and execution
- System proxy configuration
- Global payload modification
- System profiling
- Self-deletion via kill switch
These features allow attackers not only to maintain persistent access but also to adapt dynamically and erase evidence when necessary.
Timeline of the Attack: A Calculated Infiltration
Security experts identified the intrusion on April 28, when a suspicious ELF binary was detected on an internet-facing server likely running SAP NetWeaver. However, the initial signs of reconnaissance and scanning reportedly began at least three days earlier, indicating careful planning.
The attackers utilized CVE-2025-31324 to deliver a second-stage payload, an ELF binary that turned out to be the Auto-Color backdoor. Once deployed, the malware demonstrated a deep understanding of Linux systems and executed actions with measured precision, minimizing its footprint to avoid early detection.
A Wake-Up Call for Enterprise Security
This incident underscores the importance of timely patching and continuous monitoring of critical infrastructure. Sophisticated malware like Auto-Color, coupled with vulnerabilities in enterprise platforms like SAP NetWeaver, presents a significant risk to organizations across sectors. IT teams must prioritize vulnerability management and be prepared to detect and respond to stealthy, persistent threats
