Auto-Color Malware: A Stealthy Linux RAT Delivered Through SAP NetWeaver Exploit

In April 2025, a US-based chemicals company became the target of a sophisticated cyber intrusion involving the Auto-Color backdoor malware, a Linux-based Remote Access Trojan (RAT). The attack exploited CVE-2025-31324, a severe vulnerability in SAP NetWeaver, enabling remote code execution. This marked the first documented case of Auto-Color being used in conjunction with SAP exploitation, highlighting an alarming evolution in threat actor tactics against enterprise software systems.

Severity Level: High

Threat Summary

• Malware Name: Auto-Color Backdoor (Linux RAT)
• First Observed: November 2024 (widespread by April 2025)
• Primary Exploit Used: CVE-2025-31324 (SAP NetWeaver – Remote File Upload to RCE)
• Primary Target Environment: Linux servers, especially those running SAP applications
• Observed Targets: US chemicals firm (April 2025), historically US/Asian universities and government sectors)

Infection Chain & Execution Flow

1. Initial Access: Exploitation of SAP NetWeaver via /developmentserver/metadatauploader endpoint. ZIP file containing initial payload is downloaded.
2. Execution: helper.jsp script used to execute config.sh shell script. This leads to download and execution of ELF binary containing Auto-Color malware.
3. Persistence: Auto-Color modifies /etc/ld.so.preload to insert a malicious shared object libcext.so.2, granting stealthy persistence via library preloading.
4. C2 Communication: Outbound connection over TLS (port 443) to hardcoded IPs. If unreachable, malware suppresses its functionality to avoid detection.
5. Payload: Features include system profiling, file execution, proxy configuration, reverse shell access, and a self-delete kill switch. Uses encrypted, embedded C2 config.

Command & Control Behavior

C2 Servers:

• 146.70.41[.]178 (primary outbound beaconing)
• 47.97.42[.]177 (Supershell C2 platform – China-linked)

Adaptive Logic:

• If root: full execution, SO injection, persistent installation.
• If non-root: limited functionality, avoids detection.

Advanced Evasion Techniques

• Conditional execution based on privilege
• Dormant behavior if C2 unreachable
• Logs itself as /var/log/cross/auto-color to blend with Linux system logs
• Self-masking: Places itself in hidden directories to evade detection.
• Kill switch support: Command ID 0xF can trigger self-removal, aiding in anti-forensics.

Recommendations

1. Immediately apply patches for CVE-2025-31324 on all SAP NetWeaver servers. Confirm that exposed endpoints like /developmentserver/metadatauploader are inaccessible externally.
2. Maintain up-to-date patch levels for critical libraries (libc, systemd, kernel) and ensure automatic updates are enabled where feasible.
3. Alert on downloads of ZIP or JSP files from external sources to SAP application servers, particularly if the filenames include helper.jsp, cmd.jsp, or uid.jsp.
4. Monitor HTTP POST and GET requests to SAP NetWeaver endpoints, especially URIs containing /developmentserver/metadatauploader, as these may indicate exploitation attempts against CVE-2025-31324.
5. Flag any execution of .sh scripts (e.g., config.sh) shortly after unusual network activity on SAP servers, as this may indicate staged payload deployment.
6. Correlate script execution with recently modified JSP files, especially helper.jsp, to identify webshell-triggered malware installation.
7. Monitor for changes to /etc/ld.so.preload, especially insertions of uncommon or unknown shared object libraries like libcext.so.2 — a strong indicator of preload-based persistence.
8. Block the IOCs at their respective controls https://www.virustotal.com/gui/collection/e9bf137ab90bee5eb17fed6ba02c8691b62cf62c71f9c9ead0199d778b5a188f/iocs

MITRE ATT&CK

Source:

• https://www.darktrace.com/blog/auto-color-backdoor-how-darktrace-thwarted-a-stealthy-linux-intrusion

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.