Fraud
Updated July 06, 2017 (originally published June 24, 2015) Updated July 06, 2017

Slave Malware Analysis: Evolving From IBAN Swaps to Persistent Webinjects

article
2 min. read

 

Slave1 is financial malware written in Visual Basic. Since 2015 it has evolved from relatively simple IBAN swapping of destination bank account numbers to stealthy browser infection, function hooking, and unique webinjects.

Slave conducts its attack by hooking the Internet browser functions and manipulating their code for various fraudulent activities. This manipulation can be used for fraudulent activities such as credentials theft, identity theft, IBAN swapping, and fraudulent fund transfers.

Two weeks before the discovery of Slave, the F5 research team analyzed an unknown malware variant that was used for swapping IBAN numbers—a technique used by fraudsters to swap the destination account number before a funds transfer takes place. Static analysis has shown a strong relationship between the two malware samples, implying that Slave started out with a simple IBAN swap capability and later advanced to more advanced capabilities such as persistency and Zeus-style webinjects.

Upon infection, Slave writes a copy of itself to C:\Documents and Settings\Administrator\ Application Data\startup\. The malware then sets a startup registry key for sys.exe and starts the sys.exe process. To maintain its stealthy browser infection method after each reboot, Slave creates a registry key with a random name, disguised as "Internet Explorer", which will automatically start a complement copy of the malware binary file.

This technique will dynamically change the malware executable file name after each reboot for additional stealth. The malware does not clear its previous entries, so after a couple of reboots, the registry is cluttered with multiple copies of these randomized registry keys.

To see the full version of this article, click "Download" below.

App Tiers Affected:
Client
Services
Access
TLS
DNS
Network
App Tiers Affected:
Client
Services
Access
TLS
DNS
Network
Footnotes

1 F5 Labs is committed to removing racially charged language from our writing. The term "slave" in reference to cybersecurity is one such instance - we choose to use the term "subsidiary" in its place. However, in this case, the term "slave" is the specific name of the malware under discussion. Changing or removing its name would be impossible in this context. F5 Labs wishes to make it clear that we do not condone the usage of this term in the context of cyberecurity.

 

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.