Full Report
Hackers were spotted exploiting a critical SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Color Linux malware in a cyberattack on a U.S.-based chemicals company. [...]
Analysis Summary
# Incident Report: SAP NetWeaver Exploit Deploys Auto-Color Malware
## Executive Summary
Threat actors are actively exploiting an unpatched vulnerability, CVE-2025-31324, in SAP NetWeaver installations to gain initial access. The primary payload observed following exploitation is the Linux Auto-Color malware, which employs sophisticated evasion techniques, including checking for C2 connectivity to activate its full malicious functionality. Rapid patching by targeted organizations is crucial to prevent compromise.
## Incident Details
- Discovery Date: Not explicitly stated, implied discovery/reporting based on current threat intelligence.
- Incident Date: Ongoing exploitation activity observed.
- Affected Organization: Unspecified organizations running vulnerable SAP NetWeaver installations.
- Sector: Unspecified (Likely enterprise/IT systems managing critical business functions).
- Geography: Not specified.
## Timeline of Events
### Initial Access
- Date/Time: Ongoing active exploitation.
- Vector: Exploitation of SAP NetWeaver vulnerability, specifically **CVE-2025-31324**.
- Details: Attackers leverage the known vulnerability to execute initial code on the target system.
### Lateral Movement
- Details: The context primarily focuses on the initial compromise and subsequent payload behavior; lateral movement techniques are implied by the nature of the malware but not detailed.
### Data Exfiltration/Impact
- Details: The deployed malware, Auto-Color, is known to include **credential harvesting mechanisms**. The ultimate impact leans towards data theft and potential system compromise depending on the full execution chain.
### Detection & Response
- Detection: Discovered through analysis by security researchers (Darktrace and Unit 42 provided previous context on Auto-Color). Darktrace noted the malware's evasion tactics in sandboxes.
- Response: The primary response action recommended is the **application of security updates/mitigations** provided in the customer-only SAP bulletin (SAP note: 3594142).
## Attack Methodology
- Initial Access: Exploitation of **CVE-2025-31324** in SAP NetWeaver.
- Persistence: Previous analysis of Auto-Color indicated techniques, including **use of benign filenames** and established persistence mechanisms (though specifics not detailed for this latest campaign).
- Privilege Escalation: Implied, as the malware likely needs elevated rights for full functionality, but specific techniques are not listed in this report segment.
- Defense Evasion: **New evasion measure**: Auto-Color suppresses malicious behavior if it cannot connect to its hardcoded Command-and-Control (C2) server, making it appear benign in sandboxed or air-gapped environments. Also employs **hooking libc functions** and **using a fake logs directory**.
- Credential Access: Credential harvesting mechanisms are part of the dormant functionality.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: **Credential harvesting** is a noted capability.
- Exfiltration: Not detailed.
- Impact: Potential system compromise and data theft upon successful C2 connection.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Potential for sensitive data exposure, specifically credentials, if full payload executes.
- Operational: Risk to business operations reliant on vulnerable SAP NetWeaver infrastructure.
- Reputational: Potential if organizations using SAP systems are publicly confirmed as compromised.
## Indicators of Compromise
- Network indicators: Connections to the hardcoded Command-and-Control (C2) server (C2 addresses not provided/defanged).
- File indicators: The presence of the **Auto-Color malware** binary.
- Behavioral indicators: Malware behaving benignly if C2 is unreachable, or execution following successful exploitation of CVE-2025-31324. Indicators also include usage of **unique hashes for each sample** and attempting to **hook libc functions**.
## Response Actions
- Containment: Not explicitly detailed, but implied necessary action is isolating systems exhibiting initial exploitation signs.
- Eradication: Not explicitly detailed.
- Recovery: Not explicitly detailed.
*Note: The main recommended response is preventative patching.*
## Lessons Learned
- Criticality of timely patching for known vulnerabilities, especially those impacting core enterprise software like SAP NetWeaver.
- Attackers are rapidly weaponizing new vulnerabilities (CVE-2025-31324).
- Malware analysis needs to account for advanced dormancy/evasion techniques, where functionality is gated on C2 communication checks.
## Recommendations
- Immediately apply security updates and mitigations provided by SAP via customer-only note **3594142** to all SAP NetWeaver installations.
- Enhance malware analysis procedures to actively test environments where specific C2 servers are simulated as unavailable, looking for suppressed malicious routines.