SAP Trojan based partially on Carberp code
Bit by bit, details about the first information-stealing Trojan discovered targeting SAP enterprise software are being unveiled, and Microsoft researchers have tied at least part of its source code to that of the infamous Carberp banking Trojan.
The developers of Carberp have been arrested in Ukraine earlier this year, and its source code was spotted being sold on underground forums a few months later.
By analyzing the “SAP Trojan”, which was dubbed Gamker, the researchers discovered that its remote control code is the same as that of Carberp, but it’s impossible to tell if the two types of malware are the product of same developers.
SAP enterprise software is extremely popular, and is used by the overwhelming majority of top companies, so the pool of potential targets is huge. Needless to say, the information held on the systems where this software is installed is extremely sensitive.
“Gamker is a general banking and information-stealing trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and private keys, cryptography tools, and finance-related software applications,” the researchers explained.
When it comes to SAP software, the malware is able to log keystrokes per application and store them in separate files. It also records screenshots and command-line arguments, and send it all to remote servers controlled by the attackers.
Among the applications that trigger the recording are the SAP Logon for Windows client, a number of clients for remote administration, tools to manage TrueCrypt and BestCrypt protected filesystems, a series of electronic banking applications, and so on.
The malware is after SAP passwords and usernames, server names, confidential business data. Also, according to AV specialists at Dr. Web, it runs a proxy server and a VNC server on an infected computer, prevents the user to visit AV company websites, and allows attackers to execute commands from a C&C server.
While the most popular AV solutions out there are already detecting Gamker, new variants are sure to pass occasionally through their nets – at least for a short while.
Microsoft advises administrators to minimize the potential damage by restricting user access privileges, implement 2-factor authentication if possible, raise security awareness among the employees, keep operating systems, critical software and AV solutions on workstations updated, and use a network intrusion detection system to detect suspicious inbound and outbound connections.