Gameker is believed to be the first malware developed by criminals targeting SAP, but new forensics show that it may not be the last: its code is actually related to the Carberp financial malware. The source code for that trojan was leaked earlier this year, paving the way for the efficient development of legions of effective variants.
The stakes are high: SAP’s impact on business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. “Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field,” wrote Geoff McDonald, a researcher at Microsoft’s Malware Protection Center, in a blog.
Gamker, McDonald said, clearly shares part of its code with Carberp's code, including the remote control code. “This usage of the virtual network computing (VNC) code indicates that Gamker has the capability to remotely control an infected machine,” McDonald said. A VNC session can be initiated by the attacker to grab any additional information necessary to compromise the SAP server, as well as attack the SAP server directly from the infected machine.
Gamker also records keystrokes per application, generating keylog records in plaintext format to the file. In addition, hardcoded inside the payload is a list of application names that are used as triggers to record additional information; among this list is the SAP Logon for Windows client.
When the keylogging component is loaded, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about one second apart from each other before transmitting them to the command-and-control (C&C) server.
“In summary, this is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed,” McDonald said. “The attackers are using the execution of the SAP component ‘saplogon.exe’ to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&C server.”
These three types of information sent to the server will, in many cases, include critical information. Screenshots capture SAP user name, server name, some confidential data, and more.
“This Trojan’s targeting of businesses, as opposed to individuals, is an alarming move and we will be monitoring this for further developments to protect and inform our customers,” McDonald noted.
A two-factor authentication process may stop this attack from being successful, and administrators should ensure that security critical software such as Java, Adobe Flash, Adobe Reader, Microsoft Office, and web-browser clients are up-to-date, he added. Compliance also needs to be monitored and enforced.