Hackers hit SAP security bug to send out nasty Linux malware

• A critical flaw in SAP NetWeaver is still being abused, months after patching
• Researchers saw it used to deploy Auto-Color
• This backdoor remains dormant when not in use

A vulnerability in SAP NetWeaver is being exploited to deploy Linux malware capable of running arbitrary system commands and deploying additional payloads, experts have warned.

Security researchers from Palo Alto Networks’ Unit 42 discovered a piece of malware called Auto-Color, a Linux backdoor, dubbed for its ability to rename itself after installation.

The researchers found it was capable of opening reverse shells, executing arbitrary system commands, acting as a proxy, uploading and modifying files, as well as adjusting settings dynamically. It was also discovered that the backdoor remains mostly dormant if its C2 server is unreachable, effectively evading detection by staying inactive until the operator instructions arrive.