Carberp-based trojan attacking SAP

Recently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as TrojanSpy:Win32/Gamker.A.

SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies. These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field.

A few weeks ago, another vendor reported a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.

In this blog we will present our analysis on how this trojan targets SAP and how it has code in common with Win32/Carberp.

 

Based on Carberp source

Carberp is an infamous banking trojan whose source-code was leaked earlier this year, and Gamker clearly shares part of its code with Carberp's code. Gamker has code-matches to the remote control code contained in Carberp:

  • Carberp/source - absource /pro/all source/RemoteCtl/hvnc2/libs/hvnc/hvnc/

The following relative files match through the string constants that are encrypted within Gamker:

This usage of the virtual network computing (VNC) code indicates that Gamker has the capability to remotely control an infected machine. It is unclear if there is a larger connection between Gamker and Carberp since the remainder of Gamker’s code differs from Carberp's publicly leaked code.

 

SAP targeting

Gamker is a general banking and information-stealing trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and private keys, cryptography tools, and finance-related software applications. In this section we go into detail on the threat this trojan poses to SAP.

The malware records keystrokes per application, generating keylog records in plaintext format to the file "%APPDATA%\<lowercase letters>". An example of these recorded keylogs is as follows:

Example keylogs

Figure 1: Example of recorded keylogs

 

In addition to this keylogging, hardcoded inside the payload is a list of application names which are used as triggers to record additional information. Among this list is the SAP Logon for Windows client, as seen in Figure 2: 

Highlighted targeted saplogon.exe component

Figure 2: Targeting of SAP saplogon.exe component

 

Table 1 - List of triggers used to record screenshots and command-line arguments

Executable name trigger

Category assigned by trojan author

Description

rclient.exe

CFT

Client for Remote Administration

CyberTerm.exe

CTERM

Unknown Russian payment-related tool

WinPost.exe

POST

Unknown, likely a tool use to perform HTTP POST operations

PostMove.exe

POST

Unknown, likely a tool use to perform HTTP POST operations

Translink.exe

WU

Tool by Western Union Inc

webmoney.exe

WM

Unknown

openvpn-gui

CRYPT

Client for VPN remote access to computers

truecrypt.exe

CRYPT

Tool used to manage TrueCrypt protected filesystems

bestcrypt.exe

CRYPT

Tool used to manage BestCrypt protected filesystems

saplogon.exe

SAP

SAP Logon for Windows

ELBA5STANDBY.exx

ELBALOCAL

Unknown

ELBA5.exx

ELBALOCAL

Unknown

oseTokenServer.exe

MCSIGN

Application by Omikron related to electronic banking

OEBMCC32.exe

MCLOCAL

Application by Omikron related to electronic banking

OEBMCL32.exe

MCLOCAL

Application by Omikron Systemhaus GmbH related to electronic banking

ebmain.exe

BANKATLOCAL

Application by UniCredit Bank Australia

bcmain.exe

BANKATCASH

Unknown

hbp.exe

HPB

Maybe Deutsche Bundesbank Eurosystem

Hob.exe

HPB

Maybe Deutsche Bundesbank Eurosystem

bb24.exe

PSHEK

Unknown

KB_PCB.exe

PSHEK

Profibanka by Komercní banka

SecureStoreMgr.exe

PSHEK

Unknown

Pkkb.exe

PSHEK

Banking application, Komercní banka

 

When the keylogging component is loaded into a process that matches one of the executable names in Table 1, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about one second apart from each other before transmitting them to the C&C server.

In addition to these listed triggers, there are also two other application lists used as screen and command-line argument-recording triggers included in Table 3 and Table 4 below, under the category names "IT" and "ETC" respectively.

An example of the recorded data after executing "saplogon.exe" with command-line arguments "-test" can be seen in Figure 3 below:

Screenshot of recording of command-line arguments passed into saplogon.exe

Figure 3: Recording of command-line arguments passed into saplogon.exe

 

With screenshots captured every one second in the "%APPDATA%\<lowercase letters>\scrs\" directory seen in Figure 4 below:

Screenshots captured after running saplogon.exe

Figure 4: Screenshots captured after executing saplogon.exe

 

In summary, this is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed. The attackers are using the execution of the SAP component "saplogon.exe" to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&C server. These three types of information sent to the server will, in many cases, include critical information such as:

  1. Keylogs:
    • SAP password and sometimes the user name.
  2. Screenshots:
    • SAP user name, server name, some confidential data, and more.
  3. Command-line arguments:
    • Unlikely to contain sensitive information based on initial analysis of the ‘saplogon.exe’ binary.
  4. VNC:
    • A VNC session can be initiated by the attacker to grab any additional information necessary to compromise the SAP server, as well as attack the SAP server directly from the infected machine.

This trojan’s targeting of businesses, as opposed to individuals, is an alarming move and we will be monitoring this for further developments to protect and inform our customers.

 

Mitigating the risk

To reduce the risk of and mitigate the damages caused by an attack like the one on SAP, there are a number of recommended security policies. Some general recommended policies are as follows:

  • Access control. Grant users the minimum access privilege level required to complete their job. This reduces the amount of data compromised in a successful attack.
  • Two-factor authentication. A two-factor authentication process may stop this attack from being successful.
  • Security education. Schedule training courses for all employees. A security-smart employee may be able to avoid infection in the first place.
  • Antimalware solution. Run antimalware software on all workstations and monitor compliance. This may detect the trojan prior to infecting the workstation.
  • Network intrusion detection system. This may create alerts on the suspicious VNC connection, detect the data exfiltration, or may also detect the trojan C&C communication on the network.
  • Security management. Ensure workstations are running up-to-date versions of Windows with the latest security patches applied. All security critical software such as Java, Adobe Flash, Adobe Reader, Microsoft Office, and web-browser clients are up-to-date. Compliance needs to be monitored and enforced.

For further recommendations, guidelines, and information on additional SAP security products it is recommended to consult SAP and read through their security solutions.

 

 

Geoff McDonald

MMPC

Appendix

 

Table 2 – Reference checksums for analyzed samples

Checksum

Detection

Comment

SHA1:4e2da5a532451500e890d176d71dc878844a9baa

MD5: c9197f34d616b46074509b4827c85675

  TrojanSpy:Win32/Gamker.A

 

Injects the trojan into all processes.

SHA1:6a9e1f85068fe1e4607b993774fc9cb229cd751b

MD5: efe6cd23659a05478e28e08a138df81e

TrojanSpy:Win32/Gamker.A

Carberp-based password and information stealer.

 

Table 3 – Additional screen and command-line capture triggers under the category "IT"

TelemacoBusinessManager.exe

Ceedo.exe

FileProtector.exe

Telemaco.exe

CeedoRT.exe

contoc.exe

StartCeedo.exe

legalSign.exe

IDProtect Monitor.exe

dikeutil.exe

SIManager.exe

bit4pin.exe

 

Table 4 – Additional screen and command-line capture triggers under the category "ETC"

iscc.exe

rmclient.exe

Dealer.exe

visa.exe

SACLIENT.exe

info.exe

eclnt.exe

QUICKPAY.exe

ClientBK.exe

SXDOC.exe

WClient.exe

Client32.exe

UNISTREAM.exe

OnCBCli.exe

RETAIL32.exe

IMBLink32.exe

client6.exe

iWallet.exe

BUDGET.exe

UARM.exe

Bk_kw32.exe

ClntW32.exe

bitcoin-qt.exe

ARM\\ARM.exe

CLB.exe

BC_Loader.exe

el_cli.exe

Pmodule.exe

WUPostAgent.exe

PRCLIENT.exe

elbank.exe

LFCPaymentAIS.exe

RETAIL.exe

ProductPrototype.exe

EELCLNT.exe

selva_copy.exe

UpOfCards.exe

QIWIGUARD.exe

MWCLIENT32.exe

ASBANK_LITE.exe

EximClient.exe

Payments.exe

OKMain.exe

JSCASHMAIN.exe

MMBANK.exe

bb.exe

PaymMaster.exe

CSHELL.exe

EffectOffice.Client.exe

BBCLIENT.exe

startclient7.exe

ubs_net.exe

CNCCLIENT.exe

WFINIST.exe

BCLIENT.exe

terminal.exe

LPBOS.exe

ContactNG.exe

ETSRV.exe

xplat_client.exe

bankcl.exe

fcClient.exe

BANK32.exe

BBMS.exe

PinPayR.exe

kb_cli.exe

Edealer.exe

URALPROM.exe

bk.exe

DTPayDesk.exe

cb193w.exe

Qiwicashier.exe

TERMW.exe

SAADM.exe

W32MKDE.exe

RTADMIN.exe RTCERT.exe litecoin-qt.exe Transact.exe Ibwn8.exe
clcard.exe avn_cc.exe sapphire.exe srclbclient.exee Client2.exe
WebLogin.exe rpay.exe KBADMIN.exe Sunflow.exe CliBank.exe
KLBS.exe AdClient.exe payment_processor.exe NURITSmartLoader.exe Omeg\\M7.exe
SGBClient.exe iquote32.exe plat.exe ibcremote31.exe WinVal.exe
Payroll.exe CLBank.exe LBank.exe