Report / Jun 24, 2015

Slave Malware Analysis: Evolving From IBAN Swaps to Persistent Webinjects

by nathan jester elman reyes julia karpin pavel asinovsky

Slave is financial malware written in Visual Basic. Since 2015 it has evolved from relatively simple IBAN swapping of destination bank account numbers to stealthy browser infection, function hooking, and unique webinjects.

Slave conducts its attack by hooking the Internet browser functions and manipulating their code for various fraudulent activities. This manipulation can be used for fraudulent activities such as credentials theft, identity theft, IBAN swapping, and fraudulent fund transfers.

Two weeks before the discovery of Slave, the F5 research team analyzed an unknown malware variant that was used for swapping IBAN numbers—a technique used by fraudsters to swap the destination account number before a funds transfer takes place. Static analysis has shown a strong relationship between the two malware samples, implying that Slave started out with a simple IBAN swap capability and later advanced to more advanced capabilities such as persistency and Zeus-style webinjects.

Upon infection, Slave writes a copy of itself to C:\Documents and Settings\Administrator\ Application Data\startup\. The malware then sets a startup registry key for sys.exe and starts the sys.exe process. To maintain its stealthy browser infection method after each reboot, Slave creates a registry key with a random name, disguised as "Internet Explorer", which will automatically start a complement copy of the malware binary file.

This technique will dynamically change the malware executable file name after each reboot for additional stealth. The malware does not clear its previous entries, so after a couple of reboots, the registry is cluttered with multiple copies of these randomized registry keys.

To see the full version of this report, click "Download" below.


MODIFIED: Jul 06, 2017

Follow us on social media.