SAP Trojan based partially on Carberp code
Posted on 21.11.2013
Bit by bit, details about the first information-stealing Trojan discovered targeting SAP enterprise software are being unveiled, and Microsoft researchers have tied at least part of its source code to that of the infamous Carberp banking Trojan.


The developers of Carberp have been arrested in Ukraine earlier this year, and its source code was spotted being sold on underground forums a few months later.

By analyzing the “SAP Trojan”, which was dubbed Gamker, the researchers discovered that its remote control code is the same as that of Carberp, but it’s impossible to tell if the two types of malware are the product of same developers.

SAP enterprise software is extremely popular, and is used by the overwhelming majority of top companies, so the pool of potential targets is huge. Needless to say, the information held on the systems where this software is installed is extremely sensitive.

“Gamker is a general banking and information-stealing trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and private keys, cryptography tools, and finance-related software applications,” the researchers explained.

When it comes to SAP software, the malware is able to log keystrokes per application and store them in separate files. It also records screenshots and command-line arguments, and send it all to remote servers controlled by the attackers.

Among the applications that trigger the recording are the SAP Logon for Windows client, a number of clients for remote administration, tools to manage TrueCrypt and BestCrypt protected filesystems, a series of electronic banking applications, and so on.

The malware is after SAP passwords and usernames, server names, confidential business data. Also, according to AV specialists at Dr. Web, it runs a proxy server and a VNC server on an infected computer, prevents the user to visit AV company websites, and allows attackers to execute commands from a C&C server.

While the most popular AV solutions out there are already detecting Gamker, new variants are sure to pass occasionally through their nets - at least for a short while.

Microsoft advises administrators to minimize the potential damage by restricting user access privileges, implement 2-factor authentication if possible, raise security awareness among the employees, keep operating systems, critical software and AV solutions on workstations updated, and use a network intrusion detection system to detect suspicious inbound and outbound connections.









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //