Carberp-based trojan attacking SAP

Recently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as TrojanSpy:Win32/Gamker.A.

SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies. These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field.

A few weeks ago, another vendor reported a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.

In this blog we will present our analysis on how this trojan targets SAP and how it has code in common with Win32/Carberp.


Based on Carberp source

Carberp is an infamous banking trojan whose source-code was leaked earlier this year, and Gamker clearly shares part of its code with Carberp's code. Gamker has code-matches to the remote control code contained in Carberp:

  • Carberp/source - absource /pro/all source/RemoteCtl/hvnc2/libs/hvnc/hvnc/

The following relative files match through the string constants that are encrypted within Gamker:

This usage of the virtual network computing (VNC) code indicates that Gamker has the capability to remotely control an infected machine. It is unclear if there is a larger connection between Gamker and Carberp since the remainder of Gamker’s code differs from Carberp's publicly leaked code.


SAP targeting

Gamker is a general banking and information-stealing trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and private keys, cryptography tools, and finance-related software applications. In this section we go into detail on the threat this trojan poses to SAP.

The malware records keystrokes per application, generating keylog records in plaintext format to the file "%APPDATA%<lowercase letters>". An example of these recorded keylogs is as follows:

Example keylogs

Figure 1: Example of recorded keylogs


In addition to this keylogging, hardcoded inside the payload is a list of application names which are used as triggers to record additional information. Among this list is the SAP Logon for Windows client, as seen in Figure 2:

Highlighted targeted saplogon.exe component

Figure 2: Targeting of SAP saplogon.exe component


Table 1 - List of triggers used to record screenshots and command-line arguments

Executable name trigger Category assigned by trojan author Description
rclient.exe CFT Client for Remote Administration
CyberTerm.exe CTERM Unknown Russian payment-related tool
WinPost.exe POST Unknown, likely a tool use to perform HTTP POST operations
PostMove.exe POST Unknown, likely a tool use to perform HTTP POST operations
Translink.exe WU Tool by Western Union Inc
webmoney.exe WM Unknown
openvpn-gui CRYPT Client for VPN remote access to computers
truecrypt.exe CRYPT Tool used to manage TrueCrypt protected filesystems
bestcrypt.exe CRYPT Tool used to manage BestCrypt protected filesystems
saplogon.exe SAP SAP Logon for Windows
oseTokenServer.exe MCSIGN Application by Omikron related to electronic banking
OEBMCC32.exe MCLOCAL Application by Omikron related to electronic banking
OEBMCL32.exe MCLOCAL Application by Omikron Systemhaus GmbH related to electronic banking
ebmain.exe BANKATLOCAL Application by UniCredit Bank Australia
bcmain.exe BANKATCASH Unknown
hbp.exe HPB Maybe Deutsche Bundesbank Eurosystem
Hob.exe HPB Maybe Deutsche Bundesbank Eurosystem
bb24.exe PSHEK Unknown
KB_PCB.exe PSHEK Profibanka by Komercní banka
SecureStoreMgr.exe PSHEK Unknown
Pkkb.exe PSHEK Banking application, Komercní banka


When the keylogging component is loaded into a process that matches one of the executable names in Table 1, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about one second apart from each other before transmitting them to the C&C server.

In addition to these listed triggers, there are also two other application lists used as screen and command-line argument-recording triggers included in Table 3 and Table 4 below, under the category names "IT" and "ETC" respectively.

An example of the recorded data after executing "saplogon.exe" with command-line arguments "-test" can be seen in Figure 3 below:

Screenshot of recording of command-line arguments passed into saplogon.exe

Figure 3: Recording of command-line arguments passed into saplogon.exe


With screenshots captured every one second in the "%APPDATA%<lowercase letters>scrs" directory seen in Figure 4 below:

Screenshots captured after running saplogon.exe

Figure 4: Screenshots captured after executing saplogon.exe


In summary, this is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed. The attackers are using the execution of the SAP component "saplogon.exe" to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&C server. These three types of information sent to the server will, in many cases, include critical information such as:

  1. Keylogs:
  • SAP password and sometimes the user name.
  • Screenshots:
  • SAP user name, server name, some confidential data, and more.
  • Command-line arguments:
  • Unlikely to contain sensitive information based on initial analysis of the ‘saplogon.exe’ binary.
  • VNC:
  • A VNC session can be initiated by the attacker to grab any additional information necessary to compromise the SAP server, as well as attack the SAP server directly from the infected machine.

This trojan’s targeting of businesses, as opposed to individuals, is an alarming move and we will be monitoring this for further developments to protect and inform our customers.


Mitigating the risk

To reduce the risk of and mitigate the damages caused by an attack like the one on SAP, there are a number of recommended security policies. Some general recommended policies are as follows:

  • Access control. Grant users the minimum access privilege level required to complete their job. This reduces the amount of data compromised in a successful attack.
  • Two-factor authentication. A two-factor authentication process may stop this attack from being successful.
  • Security education. Schedule training courses for all employees. A security-smart employee may be able to avoid infection in the first place.
  • Antimalware solution. Run antimalware software on all workstations and monitor compliance. This may detect the trojan prior to infecting the workstation.
  • Network intrusion detection system. This may create alerts on the suspicious VNC connection, detect the data exfiltration, or may also detect the trojan C&C communication on the network.
  • Security management. Ensure workstations are running up-to-date versions of Windows with the latest security patches applied. All security critical software such as Java, Adobe Flash, Adobe Reader, Microsoft Office, and web-browser clients are up-to-date. Compliance needs to be monitored and enforced.

For further recommendations, guidelines, and information on additional SAP security products it is recommended to consult SAP and read through their security solutions.



Geoff McDonald





Table 2 – Reference checksums for analyzed samples

Checksum Detection Comment

MD5: c9197f34d616b46074509b4827c85675


Injects the trojan into all processes.

MD5: efe6cd23659a05478e28e08a138df81e

TrojanSpy:Win32/Gamker.A Carberp-based password and information stealer.


Table 3 – Additional screen and command-line capture triggers under the category "IT"

TelemacoBusinessManager.exe Ceedo.exe FileProtector.exe
Telemaco.exe CeedoRT.exe contoc.exe
StartCeedo.exe legalSign.exe IDProtect Monitor.exe
dikeutil.exe SIManager.exe bit4pin.exe


Table 4 – Additional screen and command-line capture triggers under the category "ETC"

iscc.exe rmclient.exe Dealer.exe visa.exe SACLIENT.exe
info.exe eclnt.exe QUICKPAY.exe ClientBK.exe SXDOC.exe
WClient.exe Client32.exe UNISTREAM.exe OnCBCli.exe RETAIL32.exe
IMBLink32.exe client6.exe iWallet.exe BUDGET.exe UARM.exe
Bk_kw32.exe ClntW32.exe bitcoin-qt.exe ARM\ARM.exe CLB.exe
BC_Loader.exe el_cli.exe Pmodule.exe WUPostAgent.exe PRCLIENT.exe
elbank.exe LFCPaymentAIS.exe RETAIL.exe ProductPrototype.exe EELCLNT.exe
selva_copy.exe UpOfCards.exe QIWIGUARD.exe MWCLIENT32.exe ASBANK_LITE.exe
EximClient.exe Payments.exe OKMain.exe JSCASHMAIN.exe MMBANK.exe
bb.exe PaymMaster.exe CSHELL.exe EffectOffice.Client.exe BBCLIENT.exe
startclient7.exe ubs_net.exe CNCCLIENT.exe WFINIST.exe BCLIENT.exe
terminal.exe LPBOS.exe ContactNG.exe ETSRV.exe xplat_client.exe
bankcl.exe fcClient.exe BANK32.exe BBMS.exe PinPayR.exe
kb_cli.exe Edealer.exe URALPROM.exe bk.exe DTPayDesk.exe
cb193w.exe Qiwicashier.exe TERMW.exe SAADM.exe W32MKDE.exe






























Comments (7)

  1. ivan says:

    O, it is «Trojan.Ibank» (Dr.Web) Compare listing –

  2. John says:

    WebMoney is online payment system (Russia)

    ELBA5 – soft for electroning banking system (Germany)

  3. Denis says:

    Lol, and you still use Windows XP while telling us to migrate to Win 8 ASAP?

  4. It was only a matter of time says:

    Targeting of business financial systems has been a long time coming. Great write up.

    Thanks for the info!

    Note: The XP machine is a dynamic analysis machine not the machine he uses regularly.

  5. tony says:

    Last night I,think I, collected information how it's done remotely.joining send it in

  6. tony says:

    Tony,I, have the information on how they do it's in my email.who do I,send it.

Skip to main content