SAP Trojan Uses Carberp Code

Friday, November 22, 2013 @ 05:11 PM gHale

The Carberp banking Trojan has roots into the information stealing Trojan that is targeting SAP enterprise software, researchers said.

The Carberp developers ended up arrested in Ukraine earlier this year, but its source code was for sale on underground forums a few months later.

Two Trojans Collaborate in Attack
Malware Targets SAP Users
Chrome Search Leads to Malware
Tough Ransomware Sinkholed

By analyzing the “SAP Trojan”, which called Gamker, Microsoft researchers found its remote control code is the same as that of Carberp, but it’s impossible to tell if the two types of malware are the product of same developers.

SAP enterprise software sees use by the majority of top companies, so the pool of potential targets is huge. Needless to say, the information held on the systems run with SAP is sensitive.

“Gamker is a general banking and information-stealing Trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and private keys, cryptography tools, and finance-related software applications,” the Microsoft researchers said.

When it comes to SAP software, the malware is able to log keystrokes per application and store them in separate files. It also records screenshots and command-line arguments, and sends it all to remote servers controlled by the attackers.

Among the applications that trigger the recording are the SAP Logon for Windows client, a number of clients for remote administration, tools to manage TrueCrypt and BestCrypt protected filesystems, a series of electronic banking applications, and so on.

The malware is after SAP passwords and usernames, server names, confidential business data.

Microsoft advises administrators to minimize the potential damage by restricting user access privileges, implement two-factor authentication if possible, raise security awareness among the employees, keep operating systems, critical software and AV solutions on workstations updated, and use a network intrusion detection system to detect suspicious inbound and outbound connections.

Leave a Reply

You must be logged in to post a comment.