Carberp-based trojan attacking SAP

Jump to navigation Jump to search

(Publication) Google search: [1]

Carberp-based trojan attacking SAP
Botnet Carberp, Gamker
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2013 / 2013-11-20
Editor/Conference Microsoft Malware Protection Centre
Link (Archive copy)
Author Geoff McDonald
Type Blogpost


ecently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as TrojanSpy:Win32/Gamker.A.

SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies. These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field.

A few weeks ago, another vendor reported a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.

In this blog we will present our analysis on how this trojan targets SAP and how it has code in common with Win32/Carberp.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR4714,
   editor = {Microsoft Malware Protection Centre},
   author = {Geoff McDonald},
   title = {Carberp-based trojan attacking SAP},
   date = {20},
   month = Nov,
   year = {2013},
   howpublished = {\url{}},