The global and independent platform for the SAP community.

The invisible enemy

Cybercriminals are finding new ways to obtain sensitive data from their victims - undetected by means of fileless malware. CERT-Bund and numerous security researchers warn against these attacks.
Silvana Roessler
April 8, 2021
it security header
avatar
This text has been automatically translated from German to English.

Internet connection problems, inexplicable drops in performance, or the email server is on a blacklist - since the fourth quarter of 2020, there have been an increasing number of cases of German users of Windows computers reporting unspecific anomalies. Gootkit, a well-known banking Trojan, is back and is targeting German users in particular.

In most cases, victims do not notice that their computers have been compromised until, in the best case, they receive a message via their Internet service provider that one of their devices is communicating with a botnet. The checks made by the user afterwards using antivirus programs mostly show no infection, so the perplexity is great.

Gootkit is a banking Trojan that has been known since 2014. It has numerous malicious features to steal information from its victims' computers. This includes a keylogger functionality as well as the ability to record video of the screen or even remote access for the attackers.

In some cases, additional unwanted forwarding schemes were set up in email inboxes to drain them for subsequent phishing campaigns, for example. After a one-year hiatus, this Trojan is back with a new disguise.

The further development of this Trojan allows for a fileless existence on its victim's computer after gaining persistence. Thus, it does not exist as an independent file on the hard drive, but acts only in the main memory. In order to survive a computer restart, its obfuscated code is located in varying keys of the Windows registry. Thus, the Trojan manages to successfully hide itself from some intrusion prevention solutions and antivirus programs.

In the current wave of threats, criminals abuse third-party web servers with security vulnerabilities to display fake forum posts specifically tailored to their concerns to potential visitors via SEO poisoning. As a result, during an Internet search, especially for templates and patterns, the victim encounters a dynamically created, helpful-sounding forum post containing a file with the appropriate template for download. Here, one may notice that this file has the victim's search terms in the file name in order to sound attractive and unsuspicious.

Think actively

If this file is downloaded and then executed, the infection takes its course. The JavaScript program contained in the file connects to its command & control server unnoticed and downloads another script that contains the actual malware. In most cases, it is the fileless variant of the Gootkit Trojan.

However, in some cases, distribution of a variant of the REvil ransomware, which is also fileless, has been observed. REvil, also known as Sodinokibi, is distributed as Ransomware as a Service (RaaS) and belongs to the group of encryption Trojans with additional extortion through data leakage and disclosure.

If a computer has been infected with such fileless malware, professional help should be sought immediately to assess the extent of the damage and the effects of the malware. This is the only way to implement the correct cleanup measures afterwards.

In order to prevent an infection from occurring in the first place, the user must think actively. Can the origin and plausibility of an e-mail attachment or download be determined beyond doubt? If you are not sure, the general rule is: Move the mouse pointer away from the file!

networker-solutionsCI-Banner.jpg
avatar
Silvana Roessler

Head of Security Incident Response at Networker, Solutions


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.