A Russian antivirus company said a new variant of a Trojan program is seeking out computers that have SAP AG client installations suggesting that cybercriminals may be planning to launch future attacks on systems using the enterprise business operations software.
The malware is a variant of a Trojan program that targets online banking accounts, according to Doctor Web, a security software maker that discovered the virus some two weeks ago. The company has since shared its findings with ERPScan, a developer of business application security products particularly for SAP systems.
Alexander Polyakov, chief technology officer of ERPScan, said they have analyzed the Trojan and have determined that it is designed “to check which systems have SAP applications installed.”
Typically, he said, malware that conduct such scoping functions is an indication that attackers intend to sell access to those infected machines to other cybercriminals or they themselves intend to launch an attack later.
Polyakov said this is the first malware targeting SAP client software he has seen that was not developed by proof-of-concept researchers but rather by cybercriminals.
While some stolen credentials may provide attackers with limited system access, there are many default administrative credentials that have not been changed by companies.
Attackers that gain access to SAP servers may be able to steal customer information, collect proprietary information or corporate secrets or they can steal money from a company by creating and approving rogue purchases or by redirecting customer payments, he said.
Attackers could also launch denial-of-service attacks against a firm’s SAP servers to disrupt operations.