Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Recently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as TrojanSpy:Win32/Gamker.A.
SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies. These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field.
A few weeks ago, another vendor reported a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.
In this blog we will present our analysis on how this trojan targets SAP and how it has code in common with Win32/Carberp.
Based on Carberp source
Carberp is an infamous banking trojan whose source-code was leaked earlier this year, and Gamker clearly shares part of its code with Carberp's code. Gamker has code-matches to the remote control code contained in Carberp:
The following relative files match through the string constants that are encrypted within Gamker:
This usage of the virtual network computing (VNC) code indicates that Gamker has the capability to remotely control an infected machine. It is unclear if there is a larger connection between Gamker and Carberp since the remainder of Gamker’s code differs from Carberp's publicly leaked code.
Gamker is a general banking and information-stealing trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and private keys, cryptography tools, and finance-related software applications. In this section we go into detail on the threat this trojan poses to SAP.
The malware records keystrokes per application, generating keylog records in plaintext format to the file "%APPDATA%\<lowercase letters>". An example of these recorded keylogs is as follows:
Figure 1: Example of recorded keylogs
In addition to this keylogging, hardcoded inside the payload is a list of application names which are used as triggers to record additional information. Among this list is the SAP Logon for Windows client, as seen in Figure 2:
Figure 2: Targeting of SAP saplogon.exe component
Table 1 - List of triggers used to record screenshots and command-line arguments
Executable name trigger
Category assigned by trojan author
Client for Remote Administration
Unknown Russian payment-related tool
Unknown, likely a tool use to perform HTTP POST operations
Tool by Western Union Inc
Client for VPN remote access to computers
Tool used to manage TrueCrypt protected filesystems
Tool used to manage BestCrypt protected filesystems
SAP Logon for Windows
Application by Omikron related to electronic banking
Application by Omikron Systemhaus GmbH related to electronic banking
Application by UniCredit Bank Australia
Maybe Deutsche Bundesbank Eurosystem
Profibanka by Komercní banka
Banking application, Komercní banka
When the keylogging component is loaded into a process that matches one of the executable names in Table 1, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about one second apart from each other before transmitting them to the C&C server.
In addition to these listed triggers, there are also two other application lists used as screen and command-line argument-recording triggers included in Table 3 and Table 4 below, under the category names "IT" and "ETC" respectively.
An example of the recorded data after executing "saplogon.exe" with command-line arguments "-test" can be seen in Figure 3 below:
Figure 3: Recording of command-line arguments passed into saplogon.exe
With screenshots captured every one second in the "%APPDATA%\<lowercase letters>\scrs\" directory seen in Figure 4 below:
Figure 4: Screenshots captured after executing saplogon.exe
In summary, this is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed. The attackers are using the execution of the SAP component "saplogon.exe" to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&C server. These three types of information sent to the server will, in many cases, include critical information such as:
This trojan’s targeting of businesses, as opposed to individuals, is an alarming move and we will be monitoring this for further developments to protect and inform our customers.
Mitigating the risk
To reduce the risk of and mitigate the damages caused by an attack like the one on SAP, there are a number of recommended security policies. Some general recommended policies are as follows:
For further recommendations, guidelines, and information on additional SAP security products it is recommended to consult SAP and read through their security solutions.
Table 2 – Reference checksums for analyzed samples
Injects the trojan into all processes.
Carberp-based password and information stealer.
Table 3 – Additional screen and command-line capture triggers under the category "IT"
Table 4 – Additional screen and command-line capture triggers under the category "ETC"