In April 2025, a sophisticated cyberattack targeted a U.S.-based chemical company, marking the first documented instance of threat actors exploiting a critical vulnerability in SAP NetWeaver to deploy the Auto-Color backdoor malware. This incident underscores the evolving tactics of cyber adversaries and the pressing need for robust cybersecurity measures.
Overview of the Attack
The attack commenced with the exploitation of CVE-2025-31324, a critical vulnerability in SAP NetWeaver’s Visual Composer component. Disclosed by SAP SE on April 24, 2025, this flaw allows unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution and full system compromise. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/?utm_source=openai))
Threat actors initiated reconnaissance activities on April 25, scanning for vulnerable systems by targeting the `/developmentserver/metadatauploader` endpoint. Two days later, they launched the full attack, beginning with the download of a malicious ZIP file from the IP address 91.193.19[.]109. This was accompanied by DNS tunneling requests to Out-of-Band Application Security Testing (OAST) domains, such as aaaaaaaaaaaa[.]d06oojugfd4n58p4tj201hmy54tnq4rak[.]oast[.]me.
Subsequently, the attackers executed a shell script named `config.sh` via the `helper.jsp` file, establishing connections to command-and-control (C2) infrastructure at 47.97.42[.]177 over port 3232. This endpoint is associated with Supershell, a C2 platform linked to China-affiliated threat groups. ([cybersecuritynews.com](https://cybersecuritynews.com/sap-netweaver-vulnerability-exploited-malware/?utm_source=openai))
Auto-Color Malware: Persistence and Evasion Techniques
The Auto-Color backdoor malware, named for its ability to rename itself to `/var/log/cross/auto-color` after execution, is a sophisticated Remote Access Trojan (RAT) that has primarily targeted universities and government institutions since November 2024. ([hackread.com](https://hackread.com/sap-netweaver-vulnerability-auto-color-malware-us-firm/?utm_source=openai))
Auto-Color exhibits adaptive behavior based on the privilege levels it operates under. When executed without root privileges, it limits its functionality to avoid detection in restricted environments. However, with root access, the malware performs invasive installation procedures, deploying a malicious shared object `libcext.so.2` that masquerades as a legitimate C utility library.
To achieve persistence, Auto-Color manipulates the `ld.so.preload` mechanism by modifying or creating the `/etc/ld.so.preload` file to include references to the malicious library. This technique ensures that the malware loads before other libraries when executing dynamically linked programs, enabling it to hook and override standard system functions across applications. ([cybersecuritynews.com](https://cybersecuritynews.com/sap-netweaver-vulnerability-exploited-malware/?utm_source=openai))
Detection and Mitigation
The attack was successfully detected and contained by Darktrace’s Managed Detection and Response service. The service extended Autonomous Response actions for an additional 24 hours, providing the company’s security team with crucial time to investigate and remediate the threat. ([cybersecuritynews.com](https://cybersecuritynews.com/sap-netweaver-vulnerability-exploited-malware/?utm_source=openai))
This incident highlights the urgent need for organizations using SAP NetWeaver to apply security patches promptly. Threat actors continue to exploit critical vulnerabilities across multiple systems, emphasizing the importance of proactive cybersecurity measures.
Recommendations for Organizations
1. Immediate Patch Application: Organizations should apply the latest security patches released by SAP to address CVE-2025-31324 and other related vulnerabilities. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/?utm_source=openai))
2. Restrict Access to Vulnerable Endpoints: Limit access to the `/developmentserver/metadatauploader` endpoint to trusted users and systems.
3. Monitor for Unauthorized File Uploads: Implement monitoring mechanisms to detect and alert on unauthorized file uploads and modifications to critical system files.
4. Conduct Regular Security Audits: Perform regular security assessments to identify and remediate potential vulnerabilities within the organization’s IT infrastructure.
5. Enhance Employee Training: Educate employees on recognizing phishing attempts and other common attack vectors to reduce the risk of initial compromise.
Conclusion
The exploitation of SAP NetWeaver’s vulnerability to deploy Auto-Color malware represents a significant advancement in cyberattack methodologies. Organizations must remain vigilant, applying patches promptly and implementing comprehensive security measures to protect against such sophisticated threats.
