June 24, 2015

Slave Malware Analysis: Evolving From IBAN Swaps to Persistent Webinjects

2 min. read
By Nathan Jester, Elman Reyes, Julia Karpin, Pavel Asinovsky


Slave is financial malware written in Visual Basic. Since 2015 it has evolved from relatively simple IBAN swapping of destination bank account numbers to stealthy browser infection, function hooking, and unique webinjects.

Slave conducts its attack by hooking the Internet browser functions and manipulating their code for various fraudulent activities. This manipulation can be used for fraudulent activities such as credentials theft, identity theft, IBAN swapping, and fraudulent fund transfers.

Two weeks before the discovery of Slave, the F5 research team analyzed an unknown malware variant that was used for swapping IBAN numbers—a technique used by fraudsters to swap the destination account number before a funds transfer takes place. Static analysis has shown a strong relationship between the two malware samples, implying that Slave started out with a simple IBAN swap capability and later advanced to more advanced capabilities such as persistency and Zeus-style webinjects.

Upon infection, Slave writes a copy of itself to C:\Documents and Settings\Administrator\ Application Data\startup\. The malware then sets a startup registry key for sys.exe and starts the sys.exe process. To maintain its stealthy browser infection method after each reboot, Slave creates a registry key with a random name, disguised as "Internet Explorer", which will automatically start a complement copy of the malware binary file.

This technique will dynamically change the malware executable file name after each reboot for additional stealth. The malware does not clear its previous entries, so after a couple of reboots, the registry is cluttered with multiple copies of these randomized registry keys.

To see the full version of this article, click "Download" below.


Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.


9 hrs

a critical vulnerability—with the potential for remote code execution—is released.