It has long been known that cyber criminals utilize advanced information-stealing malware and Trojans to gain access to corporate endpoints and networks, disrupt operations and steal sensitive business data, intellectual property and financial information. A recent example demonstrates how cyber criminals are using advanced data malware to target mission-critical enterprise resource planning (ERP) applications such as SAP.

The Newest Threat to SAP Users

The new variant of the Shiz Trojan, a well-known banking malware, has recently been discovered. The Trojan was originally designed to provide the attacker with remote access to the infected PC and steal confidential data such as passwords and cryptographic certificates connected to online banking. To execute remote commands and exfiltrate data, Shiz creates a back door and communicates with a specific domain. The new variant includes all of these capabilities and also searches infected systems for the existence of SAP applications.

“All it does right now is to check which systems have SAP applications installed. However, this might be the beginning for future attacks on SAP,” said Alexander Polyakov from ERPScan, who shares the Shiz malware variant discovery with antivirus company Doctor Web.

SAP provides workstation client software that communicates with its application servers. These clients serve as the entry point to a wide range of business SAP applications. The configuration files of these SAP users’ applications contain the IP addresses of the SAP servers they connect to. Once attackers have remote access to the infected PC, they can easily read the configuration files and graphical user interface automation scripts, grab user credentials and even hook into application processes.

SAP applications provide an integrated view of business processes that range from finance and accounting to extended supply chain operations. Large enterprises and global companies rely on these mission-critical SAP applications to provide accurate, up-to-the-minute operations and financial information. Attacks against SAP applications that cause downtime or result in data leakage can put businesses at significant risk.

Preventing Shiz From Compromising User PCs

Trusteer Apex Data Exfiltration Prevention technology prevents Shiz from opening the back door needed for data exfiltration and remote access. By deploying Trusteer Apex on employee PCs, enterprises can easily prevent endpoint compromise and protect critical business applications without impacting the SAP users or application availability.

Take a proactive response to today’s advanced persistent threats! Read the white paper to learn how