There is a new Trojan discovered by Doctor Web, a Russian antivirus company, in the last few weeks that is searching for computers containing SAP client applications. For now this is the Trojan’s only activity. This type of action would indicate the criminals are amassing a network for a future attack.

SAP makes software for Enterprise Resource Planning (ERP). It is the world’s largest business software company and the third biggest independent software provider by revenue. More then 250,000 companies use SAP, including 80% of the Fortune 500 companies.

SAP client configurations files, as with nearly all applications, are unencrypted, and are therefore easy to read. Such files for client server based software will contain the location of the server side software. In the case of SAP this would be an IP address instead of a host name. Passwords are also readable in some configuration files and GUI automation scripts. And with access to the computer those passwords not in files, can be captured in the application process.

With access to SAP servers criminals can steal customer information, trade secrets, company bank account information, process false payments to themselves or change the routing of payments to their own accounts.