{
	"id": "1e9447a9-ee45-4fdd-a10b-b9101587725b",
	"created_at": "2026-04-06T01:32:27.843141Z",
	"updated_at": "2026-04-10T03:21:29.42293Z",
	"deleted_at": null,
	"sha1_hash": "7d3b6e463f2bada5fb04168d94c3368b796a73b2",
	"title": "Slave, Banatrix and ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 120503,
	"plain_text": "Slave, Banatrix and ransomware\r\nArchived: 2026-04-06 00:11:02 UTC\r\nIn March 2015, S21sec published their analysis of the new e-banking\r\ntrojan horse targetting Polish users. They named it “Slave”, because such a string was part of a path\r\nto one of the shared libraries. We think (in part thanks to the kernelmode.info thread) that Slave was\r\nmade by the same group of authors that are responsible for previously described Banatrix and a\r\nransomware/Android malware campaign. This means that those authors are most certainly fluent in\r\nPolish.\r\nHistory of Polish banking trojan malware\r\nThe first Polish malware that we discovered was VBKlip. Its purpose was to replace a bank account\r\nnumber that was copied to Windows clipboard. Then, because this method was widely publicized in\r\nPoland, another author started to make knock-offs. This malware, written in a few lines of .NET or\r\nC++ code, was even simpler. All of those simpler versions were made by the same person, known\r\nfrom earlier phishing attempts.\r\nNext, Banatrix came on the scene. It was a really advanced trojan horse, which was able to execute\r\nany code on the infected machine, but was mainly used to steal password data from the Firefox web\r\nbrowser and replace the bank account number, when user tried to paste it on the e-banking website.\r\nThe Banatrix infrastructure used Tor network and Bitcoins to make the botnet owners more\r\nanonymous.\r\nhttps://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/\r\nPage 1 of 5\n\nThe most recent Polish malware is Slave – e-banking trojan horse discovered by S21sec. We have\r\nmultiple reasons to believe that the same group is responsible for creating Slave and Banatrix. Slave\r\nis based on webinjects – HTML or JavaScript snippets added to the website, when a user tries to\r\ndisplay it in the browser. This code is responsible for e.g. extracting login information or performing\r\na social engineering attack.\r\nTechnical details\r\nSlave is dropped by another malware called “Andromeda”. This malware is only used as a\r\nmechanism for dropping the actual payload. Andromeda is sent using e-mail messages that suggest\r\nthat the attachment is an outstanding invoice. Andromeda and Slave are two very different strains of\r\nmalware and do not communicate with each other. The attacker however created a system in which\r\nonly a machine infected with Andromeda first may download Slave malware. This most probably is\r\na countermeasure to make the analysis more difficult – you cannot just download Slave using URL\r\nextracted from Andromeda.\r\nSlave for the most part is no different than other trojan horses based on webinjects. However, there\r\nare some features that make it stand out. First, it only targets Polish banks and runs only after a\r\nspecified date – 1st of April, 2015. Slave injects its code to Internet Explorer, Firefox and Chrome.\r\nHowever, Opera is currently unsupported. Content Security Policy headers are also stripped from\r\nserver responses, so that the violation report will not be sent back to the bank.\r\nAnother interesting feature is the Bitcoin address replacement. Whenever there is a Bitcoin address\r\nin the clipboard, it is replaced with another one, hardcoded in the sample. Below is the code that\r\ndoes the switch.\r\nhttps://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/\r\nPage 2 of 5\n\nThe replaced address, 1NoKsR7jcTTufgrvh6zyvyJmL2z73aQXQP does not hold any assets at the\nmoment.\nMalware configuration is downloaded from a URI/info.php?key=[value] , wherevalue is a part of a Bitcoin address, used for an unknown purpose. This configuration specified URLs to\nwhich specific external JavaScript code should be added. These scripts are used to exfiltrate login\ninfo and perform different kinds of social engineering attacks.\nhttps://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/\nPage 3 of 5\n\nWe also have information that the recently described Android/Windows malware campaign is also\nauthored by the same group. This only shows that the attackers are very versatile and use several\ndifferent methods to steal money from users.\nSummary\nIt appears Polish malware authors are constantly working and upgrading their malware. Different\ngroups present different technical abilities and different modi operandi. There is only a couple of\ndifferent malware authors, and we are far away from having a cybercrime “malware writing”\nbusiness in our country, but even so, we should take all of these kinds of threats seriously.\nSample hashes and VirusTotal scores\nb92710a9a65e62accb5e6772704b20606d7f00a4f5e8d44758e0868a9cdd43af 22 / 56\nffc119b8eaff94b62810b82ab456e1e3f71b86d72e57cb45781878f5199fccbc 20 / 56\n35c4b500b4c94f3dae0ce3604759787384ef7de9708add2c8de86dcf7e4b0322 38 / 55\nca7947dea43c200ce0c521b54baf60b973990af421b4cbafaba7eaddadb496f3 23 / 56\n751866cb3f85e9c991187ff415010faba84903072cef2bf29bb24596fd1e6eca 35 / 55\nP.S. Attribution is hard\nCode attribution is a really hard task. Most of the authors – contradictory to what TV series and\nmovies lead us to believe – do not “sign” their code in any way. However, some of the samples may\ncontain some telltale signs – whether it is a specific object name or path to a local file. Based on\nthis, researchers try to connect two different malware families and imply that they were made by the\nsame author. However, this link is usually really limited. After all, malware authors can use this data\nto manipulate the researcher into thinking that they know the attacker. The most famous case of this\nis the stringCoded by BRIAN KREBS for personal use only. I love my job and my\nwife present in some of the Citadel samples. Of course, Brian Krebs, renowned cybersecurity journalist,\nis not the author of Citadel code.\nThey are of course other sources providing a link between different malware families. One of them\nis information obtained from anonymous sources that sometimes disclose particular facts about the\nmalware, which only people close to the author may know. However, this information is really hard\nto verify and must be used with caution. Lastly, the other popular link is the usage of the same\ninfrastructure – whether it is the same hosting or even the same server.\nAll of these information are only small clues, which have to be combined in order to create a solid\nlink between two malware strains. However, almost always we are not sure that there is in fact a\nconnection. On the other hand, we cannot always disclose all of the information that we have. This\nhttps://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/\nPage 4 of 5\n\ncreates an environment that is prone to the manipulation and may be used for a PR gain. That is why\r\nall of this kind of revelations, even the ones described here, have to be taken with a grain of salt.\r\nSource: https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/\r\nhttps://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/"
	],
	"report_names": [
		"slave-banatrix-and-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439147,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d3b6e463f2bada5fb04168d94c3368b796a73b2.pdf",
		"text": "https://archive.orkl.eu/7d3b6e463f2bada5fb04168d94c3368b796a73b2.txt",
		"img": "https://archive.orkl.eu/7d3b6e463f2bada5fb04168d94c3368b796a73b2.jpg"
	}
}