The Microsoft Malware Protection Center (MMPC) is warning companies about a new malware that should be an information-stealing trojan that was found to be targeting the logon client for SAP, the detected trojan is TrojanSpy:Win32/Gamker.A.
SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies.
These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field.
In few days ago a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.
Carberp is an infamous banking trojan whose source-code was leaked earlier this year, and Gamker clearly shares part of its code with Carberp's code. Gamker has code-matches to the remote control code contained in Carberp.
Gamker contains a keylogging component which registers all 'keystrokes' entered into any app operating on a tarnished computer and this component has the ability to capture all login details including 'usernames' and 'passwords' that includes those entered in SAP patron apps.
When the keylogging component is loaded into a process that matches one of the executable names in Table 1, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about one second apart from each other before transmitting them to the C&C server.
This is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed. The attackers are using the execution of the SAP component "saplogon.exe" to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&C server.
These three types of information sent to the server will, in many cases, include critical information such as:
SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies.
These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field.
In few days ago a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.
Carberp is an infamous banking trojan whose source-code was leaked earlier this year, and Gamker clearly shares part of its code with Carberp's code. Gamker has code-matches to the remote control code contained in Carberp.
Gamker contains a keylogging component which registers all 'keystrokes' entered into any app operating on a tarnished computer and this component has the ability to capture all login details including 'usernames' and 'passwords' that includes those entered in SAP patron apps.
When the keylogging component is loaded into a process that matches one of the executable names in Table 1, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about one second apart from each other before transmitting them to the C&C server.
This is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed. The attackers are using the execution of the SAP component "saplogon.exe" to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&C server.
These three types of information sent to the server will, in many cases, include critical information such as:
- Keylogs:
- SAP password and sometimes the user name.
- Screenshots:
- SAP user name, server name, some confidential data, and more.
- Command-line arguments:
- Unlikely to contain sensitive information based on initial analysis of the ‘saplogon.exe’ binary.
- VNC:
- A VNC session can be initiated by the attacker to grab any additional information necessary to compromise the SAP server, as well as attack the SAP server directly from the infected machine.
This trojan’s targeting of businesses, as opposed to individuals, is an alarming move and we will be monitoring this for further developments to protect and inform to customers.
To reduce the risk of and mitigate the damages caused by an attack like the one on SAP, there are a number of recommended security policies. Some general recommended policies from MMPC :
- Access control. Grant users the minimum access privilege level required to complete their job. This reduces the amount of data compromised in a successful attack.
- Two-factor authentication. A two-factor authentication process may stop this attack from being successful.
- Security education. Schedule training courses for all employees. A security-smart employee may be able to avoid infection in the first place.
- Antimalware solution. Run antimalware software on all workstations and monitor compliance. This may detect the trojan prior to infecting the workstation.
- Network intrusion detection system. This may create alerts on the suspicious VNC connection, detect the data exfiltration, or may also detect the trojan C&C communication on the network.
- Security management. Ensure workstations are running up-to-date versions of Windows with the latest security patches applied. All security critical software such as Java, Adobe Flash, Adobe Reader, Microsoft Office, and web-browser clients are up-to-date. Compliance needs to be monitored and enforced.
No comments:
Post a Comment