The hackers have exploited a vital SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy automated coloured Linux malware in a cyberattack by a US-based chemical firm.
Cybersecurity firm Darktrace found the assault throughout its April 2025 incident response. There, analysis revealed that automated coloration malware has developed to incorporate further superior evasion ways.
Darktrace studies that the assault started on April twenty fifth, however two days later, aggressive exploitation happens, delivering ELF (Linux executable) recordsdata to the goal machine.
The automated coloration malware was first documented in February 2025 by 42 researchers from Palo Alto Networks’ unit. He emphasised the issue of eradicating it after establishing its evasive nature and difficulties in eradicating it within the machine.
The backdoor adjusts habits based mostly on the privilege stage of the consumer it runs on and makes use of “Ld.So.Preload” for stealth persistence through shared object injection.
Auto-color function options comparable to operating any command, altering recordsdata, reverse shell for full distant entry, proxy visitors forwarding, and dynamic configuration updates. There’s additionally a rootkit module that hides malicious actions from safety instruments.
Unit 42 was unable to find the preliminary an infection vector from assaults concentrating on universities and authorities organizations in North America and Asia.
In response to the newest analysis by Darktrace, the Auto-Coloration Exploit CVE-2025-31324 menace is a vital vulnerability in NetWeaver, permitting an unrecognized attacker to add malicious binaries to realize distant code execution (RCE).
.jpg)
Supply: DarkTrace
SAP fastened the flaw in April 2025, however safety corporations ReliaQuest, Onapsis and Watchtowr reported seeing aggressive exploitation makes an attempt that arrived a number of days later.
By Could, ransomware actors and Chinese language nationwide hackers had joined in exploitation actions, however Mandiant reported that they’d unearthed proof of zero-day exploitation of CVE-2025-31324 since at the very least mid-March 2025.
Other than the preliminary entry vector, DarkTrace additionally found a brand new evasion measure applied within the newest model of Auto-Coloration.
AutoColor suppresses most of its malicious habits if it can’t connect with a hardcoded Command and Management (C2) server. This is applicable to sandboxed air environments the place malware seems benign to analysts.
“If the C2 server is unreachable, autocolors will successfully stall and look benign to analysts, refraining from unfolding fully malicious options,” explains DarkTrace.
“This habits prevents the reverse engineering effort by revealing payloads, qualification harvesting mechanisms, or sustainability methods.”
That is added above beforehand documented unit 42, together with privilege-aware execution logic, use of benign file names, hooks for LIBC capabilities, use of faux log directories, C2 connections for TLS, distinctive hashing for every pattern, and the presence of a “kill swap”.
With Auto-Coloration now actively using CVE-2025-31324, directors must act rapidly and apply safety updates or mitigations offered by customer-only SAP bulletins.
