It has long been known that cyber criminals utilize advanced information-stealing malware and Trojans to gain access to corporate endpoints and networks, disrupt operations and steal sensitive business data, intellectual property and financial information. A recent example demonstrates how cyber criminals are using advanced data malware to target mission-critical enterprise resource planning (ERP) applications such as SAP.

The Newest Threat to SAP Users

The new variant of the Shiz Trojan, a well-known banking malware, has recently been discovered. The Trojan was originally designed to provide the attacker with remote access to the infected PC and steal confidential data such as passwords and cryptographic certificates connected to online banking. To execute remote commands and exfiltrate data, Shiz creates a back door and communicates with a specific domain. The new variant includes all of these capabilities and also searches infected systems for the existence of SAP applications.

“All it does right now is to check which systems have SAP applications installed. However, this might be the beginning for future attacks on SAP,” said Alexander Polyakov from ERPScan, who shares the Shiz malware variant discovery with antivirus company Doctor Web.

SAP provides workstation client software that communicates with its application servers. These clients serve as the entry point to a wide range of business SAP applications. The configuration files of these SAP users’ applications contain the IP addresses of the SAP servers they connect to. Once attackers have remote access to the infected PC, they can easily read the configuration files and graphical user interface automation scripts, grab user credentials and even hook into application processes.

SAP applications provide an integrated view of business processes that range from finance and accounting to extended supply chain operations. Large enterprises and global companies rely on these mission-critical SAP applications to provide accurate, up-to-the-minute operations and financial information. Attacks against SAP applications that cause downtime or result in data leakage can put businesses at significant risk.

Preventing Shiz From Compromising User PCs

Trusteer Apex Data Exfiltration Prevention technology prevents Shiz from opening the back door needed for data exfiltration and remote access. By deploying Trusteer Apex on employee PCs, enterprises can easily prevent endpoint compromise and protect critical business applications without impacting the SAP users or application availability.

Take a proactive response to today’s advanced persistent threats! Read the white paper to learn how

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today