Carberp-based trojan attacking SAP
Recently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as TrojanSpy:Win32/Gamker.A.
SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies. These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field.
A few weeks ago, another vendor reported a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.
In this blog we will present our analysis on how this trojan targets SAP and how it has code in common with Win32/Carberp.
Based on Carberp source
Carberp is an infamous banking trojan whose source-code was leaked earlier this year, and Gamker clearly shares part of its code with Carberp's code. Gamker has code-matches to the remote control code contained in Carberp:
- Carberp/source - absource /pro/all source/RemoteCtl/hvnc2/libs/hvnc/hvnc/
The following relative files match through the string constants that are encrypted within Gamker:
This usage of the virtual network computing (VNC) code indicates that Gamker has the capability to remotely control an infected machine. It is unclear if there is a larger connection between Gamker and Carberp since the remainder of Gamker’s code differs from Carberp's publicly leaked code.
SAP targeting
Gamker is a general banking and information-stealing trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and private keys, cryptography tools, and finance-related software applications. In this section we go into detail on the threat this trojan poses to SAP.
The malware records keystrokes per application, generating keylog records in plaintext format to the file "%APPDATA%\<lowercase letters>". An example of these recorded keylogs is as follows:
Figure 1: Example of recorded keylogs
In addition to this keylogging, hardcoded inside the payload is a list of application names which are used as triggers to record additional information. Among this list is the SAP Logon for Windows client, as seen in Figure 2:
Figure 2: Targeting of SAP saplogon.exe component
Table 1 - List of triggers used to record screenshots and command-line arguments
Executable name trigger |
Category assigned by trojan author |
Description |
rclient.exe |
CFT |
Client for Remote Administration |
CyberTerm.exe |
CTERM |
Unknown Russian payment-related tool |
WinPost.exe |
POST |
Unknown, likely a tool use to perform HTTP POST operations |
PostMove.exe |
POST |
Unknown, likely a tool use to perform HTTP POST operations |
Translink.exe |
WU |
Tool by Western Union Inc |
webmoney.exe |
WM |
Unknown |
openvpn-gui |
CRYPT |
Client for VPN remote access to computers |
truecrypt.exe |
CRYPT |
Tool used to manage TrueCrypt protected filesystems |
bestcrypt.exe |
CRYPT |
Tool used to manage BestCrypt protected filesystems |
saplogon.exe |
SAP |
SAP Logon for Windows |
ELBA5STANDBY.exx |
ELBALOCAL |
Unknown |
ELBA5.exx |
ELBALOCAL |
Unknown |
oseTokenServer.exe |
MCSIGN |
Application by Omikron related to electronic banking |
OEBMCC32.exe |
MCLOCAL |
Application by Omikron related to electronic banking |
OEBMCL32.exe |
MCLOCAL |
Application by Omikron Systemhaus GmbH related to electronic banking |
ebmain.exe |
BANKATLOCAL |
Application by UniCredit Bank Australia |
bcmain.exe |
BANKATCASH |
Unknown |
hbp.exe |
HPB |
Maybe Deutsche Bundesbank Eurosystem |
Hob.exe |
HPB |
Maybe Deutsche Bundesbank Eurosystem |
bb24.exe |
PSHEK |
Unknown |
KB_PCB.exe |
PSHEK |
Profibanka by Komercní banka |
SecureStoreMgr.exe |
PSHEK |
Unknown |
Pkkb.exe |
PSHEK |
Banking application, Komercní banka |
When the keylogging component is loaded into a process that matches one of the executable names in Table 1, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about one second apart from each other before transmitting them to the C&C server.
In addition to these listed triggers, there are also two other application lists used as screen and command-line argument-recording triggers included in Table 3 and Table 4 below, under the category names "IT" and "ETC" respectively.
An example of the recorded data after executing "saplogon.exe" with command-line arguments "-test" can be seen in Figure 3 below:
Figure 3: Recording of command-line arguments passed into saplogon.exe
With screenshots captured every one second in the "%APPDATA%\<lowercase letters>\scrs\" directory seen in Figure 4 below:
Figure 4: Screenshots captured after executing saplogon.exe
In summary, this is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed. The attackers are using the execution of the SAP component "saplogon.exe" to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&C server. These three types of information sent to the server will, in many cases, include critical information such as:
- Keylogs:
- SAP password and sometimes the user name.
- Screenshots:
- SAP user name, server name, some confidential data, and more.
- Command-line arguments:
- Unlikely to contain sensitive information based on initial analysis of the ‘saplogon.exe’ binary.
- VNC:
- A VNC session can be initiated by the attacker to grab any additional information necessary to compromise the SAP server, as well as attack the SAP server directly from the infected machine.
This trojan’s targeting of businesses, as opposed to individuals, is an alarming move and we will be monitoring this for further developments to protect and inform our customers.
Mitigating the risk
To reduce the risk of and mitigate the damages caused by an attack like the one on SAP, there are a number of recommended security policies. Some general recommended policies are as follows:
- Access control. Grant users the minimum access privilege level required to complete their job. This reduces the amount of data compromised in a successful attack.
- Two-factor authentication. A two-factor authentication process may stop this attack from being successful.
- Security education. Schedule training courses for all employees. A security-smart employee may be able to avoid infection in the first place.
- Antimalware solution. Run antimalware software on all workstations and monitor compliance. This may detect the trojan prior to infecting the workstation.
- Network intrusion detection system. This may create alerts on the suspicious VNC connection, detect the data exfiltration, or may also detect the trojan C&C communication on the network.
- Security management. Ensure workstations are running up-to-date versions of Windows with the latest security patches applied. All security critical software such as Java, Adobe Flash, Adobe Reader, Microsoft Office, and web-browser clients are up-to-date. Compliance needs to be monitored and enforced.
For further recommendations, guidelines, and information on additional SAP security products it is recommended to consult SAP and read through their security solutions.
Geoff McDonald
MMPC
Appendix
Table 2 – Reference checksums for analyzed samples
Checksum |
Detection |
Comment |
SHA1:4e2da5a532451500e890d176d71dc878844a9baa MD5: c9197f34d616b46074509b4827c85675 |
TrojanSpy:Win32/Gamker.A
|
Injects the trojan into all processes. |
SHA1:6a9e1f85068fe1e4607b993774fc9cb229cd751b MD5: efe6cd23659a05478e28e08a138df81e |
Carberp-based password and information stealer. |
Table 3 – Additional screen and command-line capture triggers under the category "IT"
TelemacoBusinessManager.exe |
Ceedo.exe |
FileProtector.exe |
Telemaco.exe |
CeedoRT.exe |
contoc.exe |
StartCeedo.exe |
legalSign.exe |
IDProtect Monitor.exe |
dikeutil.exe |
SIManager.exe |
bit4pin.exe |
Table 4 – Additional screen and command-line capture triggers under the category "ETC"
iscc.exe |
rmclient.exe |
Dealer.exe |
visa.exe |
SACLIENT.exe |
info.exe |
eclnt.exe |
QUICKPAY.exe |
ClientBK.exe |
SXDOC.exe |
WClient.exe |
Client32.exe |
UNISTREAM.exe |
OnCBCli.exe |
RETAIL32.exe |
IMBLink32.exe |
client6.exe |
iWallet.exe |
BUDGET.exe |
UARM.exe |
Bk_kw32.exe |
ClntW32.exe |
bitcoin-qt.exe |
ARM\\ARM.exe |
CLB.exe |
BC_Loader.exe |
el_cli.exe |
Pmodule.exe |
WUPostAgent.exe |
PRCLIENT.exe |
elbank.exe |
LFCPaymentAIS.exe |
RETAIL.exe |
ProductPrototype.exe |
EELCLNT.exe |
selva_copy.exe |
UpOfCards.exe |
QIWIGUARD.exe |
MWCLIENT32.exe |
ASBANK_LITE.exe |
EximClient.exe |
Payments.exe |
OKMain.exe |
JSCASHMAIN.exe |
MMBANK.exe |
bb.exe |
PaymMaster.exe |
CSHELL.exe |
EffectOffice.Client.exe |
BBCLIENT.exe |
startclient7.exe |
ubs_net.exe |
CNCCLIENT.exe |
WFINIST.exe |
BCLIENT.exe |
terminal.exe |
LPBOS.exe |
ContactNG.exe |
ETSRV.exe |
xplat_client.exe |
bankcl.exe |
fcClient.exe |
BANK32.exe |
BBMS.exe |
PinPayR.exe |
kb_cli.exe |
Edealer.exe |
URALPROM.exe |
bk.exe |
DTPayDesk.exe |
cb193w.exe |
Qiwicashier.exe |
TERMW.exe |
SAADM.exe |
W32MKDE.exe |
| RTADMIN.exe | RTCERT.exe | litecoin-qt.exe | Transact.exe | Ibwn8.exe |
| clcard.exe | avn_cc.exe | sapphire.exe | srclbclient.exee | Client2.exe |
| WebLogin.exe | rpay.exe | KBADMIN.exe | Sunflow.exe | CliBank.exe |
| KLBS.exe | AdClient.exe | payment_processor.exe | NURITSmartLoader.exe | Omeg\\M7.exe |
| SGBClient.exe | iquote32.exe | plat.exe | ibcremote31.exe | WinVal.exe |
| Payroll.exe | CLBank.exe | LBank.exe | | |