There have been recent reports of malware that targeted SAP users for information theft. We detect this threat as BKDR_SHIZ.TO, and it belongs to a malware family that has been detected since 2010. So far, this particular family has received little attention, but its targeting of SAP applications has raised its profile considerably.
So what do we know about this malware? It primarily acts as a backdoor that logs keystrokes entered by users into certain applications, most notably SAP applications. However, SAP is far from the only target, as the following code highlights:
Figure 1. BKDR_SHIZ searching for applications
This portion of its code checks if certain applications are running on the affected system. It also checks if the file is located in the “right” folder for each application, to ensure that actual installed programs (and not, for example, backups with the same file name) are the ones being logged.
If an application on the list is present, its location is logged and sent to the backdoor’s command-and-control (C&C) server. This allows the attacker to know exactly what applications are installed on the system.
The list of applications targeted is very broad. In the sample shown above, aside from SAP, there are already other classes of products targeted, like encryption software and Bitcoin/Litecoin wallets. In addition, it also targets various games, although most of these were released several years ago.
Its primary routine, aside from this app scanning, is keylogging. It does not limit itself to any application identified earlier; instead the keystrokes inside any active window are logged. The logs are organized using the name of the active window, the time, and the actual keystrokes logged.
Figure 2. Portion of keystroke log
Beyond these routines, it has fairly typical backdoor capabilities. It can:
- Download and execute files
- Restart the operating system
- Update itself
While BKDR_SHIZ.TO does possess the ability to steal information from SAP users, it does not really do so in a “targeted” manner. It is not clear if this may lead to further attacks targeting SAP users; that is certainly one possibility, but others are also possible. It is clear that this particular malware is very indiscriminate when it comes to information theft, making the determination of its goals particularly difficult.