Slave Malware Analysis: Evolving From IBAN Swaps to Persistent Webinjects
- by nlqip
Slave is financial malware written in Visual Basic. Since 2015 it has evolved from relatively simple IBAN swapping of destination bank account numbers to stealthy browser infection, function hooking, and unique webinjects.
Slave conducts its attack by hooking the Internet browser functions and manipulating their code for various fraudulent activities. This manipulation can be used for fraudulent activities such as credentials theft, identity theft, IBAN swapping, and fraudulent fund transfers.
Two weeks before the discovery of Slave, the F5 research team analyzed an unknown malware variant that was used for swapping IBAN numbers—a technique used by fraudsters to swap the destination account number before a funds transfer takes place. Static analysis has shown a strong relationship between the two malware samples, implying that Slave started out with a simple IBAN swap capability and later advanced to more advanced capabilities such as persistency and Zeus-style webinjects.
Upon infection, Slave writes a copy of itself to C:Documents and SettingsAdministrator Application Datastartup. The malware then sets a startup registry key for sys.exe and starts the sys.exe process. To maintain its stealthy browser infection method after each reboot, Slave creates a registry key with a random name, disguised as “Internet Explorer”, which will automatically start a complement copy of the malware binary file.
This technique will dynamically change the malware executable file name after each reboot for additional stealth. The malware does not clear its previous entries, so after a couple of reboots, the registry is cluttered with multiple copies of these randomized registry keys.
To see the full version of this article, click “Download” below.
Source link
lol
Slave is financial malware written in Visual Basic. Since 2015 it has evolved from relatively simple IBAN swapping of destination bank account numbers to stealthy browser infection, function hooking, and unique webinjects. Slave conducts its attack by hooking the Internet browser functions and manipulating their code for various fraudulent activities. This manipulation can be…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA