It’s been long known that cyber-criminals utilize advanced information-stealing malware and Trojans to gain access to corporate endpoints and networks, disrupt operations and steal sensitive business data, intellectual property and financial information. A recent example demonstrates how cyber-criminals are using advanced malware to target mission-critical ERP applications such as SAP.
A new variant of the ‘Shiz’ Trojan, a well-known malware, has recently been discovered. The Trojan was originally designed to provide the attacker with remote access to the infected PC and steal confidential data such as passwords and cryptographic certificates connected to online banking. To execute remote commands and exfiltrate data, Shiz creates a backdoor and communicates with a specific domain. The new variant includes all of these capabilities, and in addition, it searches infected systems for the existence of SAP applications. According to Alexander Polykov from ERPScan, who shares the Shiz malware variant discovery with the antivirus company Doctor Web, “all it does right now is to check which systems have SAP applications installed. However, this might be the beginning for future attacks.”
SAP provides workstation client software that communicates with SAP application servers. These clients serve as the entry point to a wide range of the business SAP applications. The configuration files of these SAP client applications contain the IP addresses of the SAP servers they connect to. Once attackers have remote access to the infected PC, they can easily read the configuration files and GUI automation scripts, grab user credentials, and even hook into the application processes.
SAP applications provide an integrated view of business processes that range from finance and accounting to extended supply chain operations. Large enterprises and global companies rely on these mission-critical applications to provide accurate, up-to-the-minute operations and financial information. Attacks against SAP applications that cause downtime or result in data leakage can put businesses at significant risk.
Preventing Shiz from Compromising User PCs
Trusteer Apex Data Exfiltration Prevention technology prevents Shiz from opening the backdoor needed for data exfiltration and remote access. By deploying Trusteer Apex on employee PCs, enterprises can easily prevent endpoint compromise and protect critical business applications without impacting the users or application availability.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.