Ethical Hacking News
Darktrace reported detecting an Auto-Color backdoor malware attack taking place on a US-based chemicals company. The attackers exploited a critical SAP NetWeaver flaw to deploy the malware. Darktrace's rapid detection and response prevented the malware from fully activating, but highlights the ongoing threat posed by advanced persistent threats.
Auto-Color backdoor malware attack detected on US-based chemicals company's network. A zero-day vulnerability (CVE-2025-31324) with a CVSS score of 10/10 was exploited. The attackers used advanced evasion tactics and suppression methods to avoid detection. Darktrace's rapid detection and response prevented the malware from fully activating. Auto-Color is a Linux backdoor malware targeting universities, government bodies, and now chemicals firms in the US and Asia.
In recent days, a sophisticated and targeted attack on a U.S.-based chemicals firm has brought to light a critical vulnerability in SAP NetWeaver Visual Composer Metadata Uploader that was potentially being exploited. Darktrace reported detecting an Auto-Color backdoor malware attack taking place on the network of a US-based chemicals company. The attackers took advantage of a zero-day vulnerability, tracked as CVE-2025-31324, which has a CVSS score of 10/10. This indicates that it is highly critical and poses significant risks to systems.
The Auto-Color backdoor malware attack began on April 25, when Darktrace detected suspicious incoming connections attempting to probe for vulnerabilities. Two days later, the attack escalated, with a ZIP file being downloaded, followed by DNS requests to an out-of-band domain. This triggered an alert for a suspicious ELF file, a common format for Linux malware. The attackers continued their attempts, eventually downloading multiple files, including a malicious script disguised as a routine configuration file.
Using these tools, the attacker executed commands, made DNS and SSL connections to external endpoints, and contacted infrastructure tied to known cyber-espionage groups. Within 24 hours, the Auto-Color malware was deployed, hidden in a fake log file. This indicates that the attackers were able to successfully breach the company's defenses.
Auto-Color is especially dangerous when run with root access. It installs a disguised system library to stay hidden and maintain control, even after restarts. It also tries to establish secure communication with a command-and-control (C2) server to receive further instructions. If left unchecked, this malware could potentially lead to significant disruptions in the company's operations.
Thanks to Darktrace's rapid detection and response, the malware was blocked before it could fully activate. The security team extended automated protections for 24 more hours, giving them time to investigate and contain the threat. Without a live connection to its C2 server, the malware remained mostly dormant, highlighting its reliance on real-time operator control and evasion tactics designed to avoid detection in secure environments.
Darktrace pointed out that the threat now uses advanced evasion tactics and suppression methods to avoid detection when its kill chain is disrupted. This indicates that the attackers were able to adapt their tactics mid-attack, making it even more challenging for the security team to detect and respond to.
Auto-Color is a Linux backdoor malware first seen in 2024, targeting universities and government bodies in the US and Asia. It exploits SAP NetWeaver flaws and uses built-in system features like ld.so.preload to gain persistence. If run as root, it installs a fake system library for stealth. The malware hides in /var/log/cross/auto-color, uses TLS to reach a hardcoded C2 server, and suppresses behavior if offline, evading detection in secure or sandboxed setups.
Auto-Color supports multiple features, including command execution, reverse shell access, traffic proxying, file changes, and config updates. The malware includes a rootkit component to hide its activity from security tools.
The fact that Auto-Color exploits the CVE-2025-31324 vulnerability in SAP NetWeaver Visual Composer Metadata Uploader underscores the importance of keeping software up-to-date and patched. This critical flaw was potentially being exploited, highlighting the need for organizations to stay vigilant and proactive when it comes to cybersecurity.
Furthermore, this attack highlights the threat posed by advanced persistent threats (APTs) that are designed to evade detection in secure environments. APTs are typically associated with nation-state actors or organized crime groups, and they often use sophisticated tactics and techniques to avoid detection.
In conclusion, the Auto-Color malware attack serves as a stark reminder of the importance of cybersecurity awareness and preparedness. As software vulnerabilities continue to evolve and new threats emerge, it is essential for organizations to stay informed and proactive when it comes to protecting themselves against cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Auto-Color-Malware-Threat-Unpacking-the-Exploitation-of-SAP-NetWeaver-Flaws-ehn.shtml
https://securityaffairs.com/180562/malware/critical-sap-flaw-exploited-to-launch-auto-color-malware-attack-on-u-s-company.html
https://nvd.nist.gov/vuln/detail/CVE-2025-31324
https://www.cvedetails.com/cve/CVE-2025-31324/
Published: Wed Jul 30 03:44:34 2025 by llama3.2 3B Q4_K_M
