Slave Malware Analysis: Evolving From IBAN Swaps to Persistent Webinjects

Slave is financial malware written in Visual Basic. Since 2015 it has evolved from relatively simple IBAN swapping.
June 24, 2015
2 min. read


Slave1 is financial malware written in Visual Basic. Since 2015 it has evolved from relatively simple IBAN swapping of destination bank account numbers to stealthy browser infection, function hooking, and unique webinjects.

Slave conducts its attack by hooking the Internet browser functions and manipulating their code for various fraudulent activities. This manipulation can be used for fraudulent activities such as credentials theft, identity theft, IBAN swapping, and fraudulent fund transfers.

Two weeks before the discovery of Slave, the F5 research team analyzed an unknown malware variant that was used for swapping IBAN numbers—a technique used by fraudsters to swap the destination account number before a funds transfer takes place. Static analysis has shown a strong relationship between the two malware samples, implying that Slave started out with a simple IBAN swap capability and later advanced to more advanced capabilities such as persistency and Zeus-style webinjects.

Upon infection, Slave writes a copy of itself to C:\Documents and Settings\Administrator\ Application Data\startup\. The malware then sets a startup registry key for sys.exe and starts the sys.exe process. To maintain its stealthy browser infection method after each reboot, Slave creates a registry key with a random name, disguised as "Internet Explorer", which will automatically start a complement copy of the malware binary file.

This technique will dynamically change the malware executable file name after each reboot for additional stealth. The malware does not clear its previous entries, so after a couple of reboots, the registry is cluttered with multiple copies of these randomized registry keys.

To see the full version of this article, click "Download" below.

Join the Discussion
Authors & Contributors
Nathan Jester (Author)
SOC Analyst
Elman Reyes (Author)
SOC Analyst
Julia Karpin (Author)
Principal Security Engineer
Pavel Asinovsky (Author)
Malware Researcher

1 F5 Labs is committed to removing racially charged language from our writing. The term "slave" in reference to cybersecurity is one such instance - we choose to use the term "subsidiary" in its place. However, in this case, the term "slave" is the specific name of the malware under discussion. Changing or removing its name would be impossible in this context. F5 Labs wishes to make it clear that we do not condone the usage of this term in the context of cyberecurity.


What's trending?

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read