BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
17
Global rank
54 infographic chevron month
Month rank
62 infographic chevron week
Week rank
1440
IOCs

Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America.

Stealer
Type
Unknown
Origin
1 January, 2011
First seen
10 July, 2024
Last seen
Also known as
Fareit
Siplog

How to analyze Pony with ANY.RUN

Type
Unknown
Origin
1 January, 2011
First seen
10 July, 2024
Last seen

IOCs

IP addresses
103.195.236.181
207.241.224.2
203.170.81.33
212.58.20.11
74.91.117.64
89.12.148.197
151.106.124.106
45.196.119.115
172.67.133.102
104.21.13.228
81.169.145.86
67.215.225.205
85.192.165.229
116.122.158.195
52.128.23.153
87.247.241.226
67.195.197.24
176.32.230.23
107.180.4.94
66.111.4.53
Hashes
28e68c61ecd1a76ef5e20e67d30be722afe6b4b441953b2aafa98c75cdf6462c
ac4662fd3a9989138cdd56723d590b1ae41de9b55e497368d601d9e747fa1a83
feb14967e15e44dcf7af4f901cd22748015e1c7f30cc203e79928026ba70c4d5
7d131b22e65cea0aab3d2e281cfb57903850fc4ccca943911724aa1d85eb849b
423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567
a455e8692d017a220578feb1735d22df8ba6480321f64b3e5367bca8bca4ce41
1b638ee971c647de230337bc4879de53875f98c12a96e731adf71f6fa7d127c9
c9cc3d90cd09ca8116516b7c09994a5555971edfe903f90902652c36a0b16913
ba1957340084a89fb5d8297165784d3726d1accb8c14981cc7c261be15f28e9f
06bae46dba6728d7c08d492e78fdfafdbad0e2234044144ab7bc0f6309bf4fca
f5e048345236be109e3e42d648840377375625d5919e30fb7f18b06dd98cc2ba
ceb40b25f6ccefa258ca5e9dab520e63280fbb2fdcb2c9cf89df17defd3b6f24
79f7d2df7cec7c1811a9b06e7bdb7662b384c3acba8cf669151206eba7e8f5ed
3870518599128f67eb113cebcd8f06d1c07ac92c05b93d3b167ea9b0e3af436e
cf9e7f28868b657569cbf18bf47228d06635e742f78316c5a0f14b2bba20044d
4cac9b16e2366175f8b95dcba6c6f71f397923868a65e315a4e21853fe393811
5c22200ed08d7650abc967ad5253662e59b67a8d29f3ddd148748fc4b1eb63b7
1d70353ef02fee85ccd47fac8dc0f1f7d4308910e314960e73755a5cc177487c
7c01db8672310ac072010aa67752f33775565b6cfcc7cf46c55557c9069de58e
bc121cbe39b515a72d06957465a60ecf9b30b2d81a3f357e14b011e25e390f0e
Domains
neease.net
watch-fp.info
totalguage.ml
serviced.cf
labanquize.com
biggestsetter.com
6.loveisintheearth.com
first-cdn-node.com
milanosss.ru
guisoft.pw
medgames.uphero.com
gamneit.com
chucks10.ru
burky419.ddns.net
pmscmarineinc.biz
rtyrtygjgf.ru
ttmaiil.com
hfgdhgjkgf.ru
secureaccount.ru
lachuli10.duckdns.org
URLs
http://londonpaerl.co.uk/yesup/gate.php
http://www.master12volt.ru/api/index.php
http://top.enkey.xyz/bussin/gate.php
http://myetherwallet.kl.com.ua/1/web/path/gate.php
http://myetherwallet.kl.com.ua/1/web/gate.php
http://colemanandassociates.ca/y5s.exe
http://top.thisispw.com/keys7369921/gate.php
http://fishery.co.in/virgin/leo/specification.exe
http://fishery.co.in/virgin/leo/gate.php
http://officeman.tk/images/shit.exe
http://officeman.tk/images/gate.php
http://evenations.com/Ahyi.exe
http://favoritepartner.com/pony/gate.php
http://reservehost.com/path/gate.php
http://mainserver.com/gate.php
http://talentos.clicken1.com:81/ponyb/gate.php
http://v-kolgotkah.ru/gate.php
http://t00lz.sourceforge.net/pony/gate.php
http://estherlu.webuda.com/update/gate.php
http://gruzdom.ru/api/
Last Seen at
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 138
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 156
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1623
comments 0

What is Pony malware?

Pony, also known as Fareit or Siplog, is an information stealer and loader – a malware used to collect data from infected machines and install other malicious programs. This particular virus was First Spotted in the wild in 2011. It is known to attack users primarily in Europe and North America.

The earliest discovered version of Pony stealer is 1.7, and the latest updated known version is 2.2. Though being regularly updated, the malware did not gain groundbreakingly new features since the time of its first discovery by Microsoft. In addition to the core functionality, Pony can also steal cryptocurrency wallet credentials, FTP clients, and autofill values from the browsers.

In contrast to the majority of botnets, Pony stealer does not require a centralized C&C server or a group of C&C servers to carry out its attacks. Instead, each attacker can set up their own custom control server or purchase a server that was previously set up by another criminal, instantly gaining access to infrastructure that provides reports about the stolen data. In addition, the malware itself can be divided into two modules, the builder, which is used to construct clients that are then have to be downloaded on the victim’s machine to collect data, and the bot itself – the final payload.

General description of Pony malware

The robust functionality of Pony trojan helped this malware to keep its position as the most popular password stealer through 5 years. Apart from being able to steal credentials the same as RedLine, malware can disable certain antivirus and windows security features and run in the background completely hidden from the user, who may not have a clue that his or her PC is, in fact, infected. When activated, Pony stealer can use the infected PC to take part in botnet attacks, for example, using a hijacked machine to send spam emails. Pony can also download other malware to the victim’s machine and send harvested personal data to a destination specified by the attacker.

What’s more, Pony has been mentioned by multiple “hacker celebrities” as the backbone of many attack campaigns. For instance, the author of the infamous Andromeda botnet has referred to Pony as the “titanic work of the author of miracle (Fareit Bot),” further stating that the loader was incorporated in the Andromeda botnet attacks as a plug-in.

Part of the malware’s popularity is because the source code of multiple Pony loader versions has been leaked and is available for download on the darknet. Particularly, the source code of Pony builder and loader versions 1.9 and 2.0 are available for download on several underground forums.

The Pony stealer builder is a program that attackers can use to construct custom Pony bots with pre-programmed C&C addresses, where stolen data can be sent. The Pony Bot is the actual program that is used for information stealing. According to the analysis, the Bot is written primarily in assembly language. A peculiar feature of this malware that separates it from the rest of the pack is its unique decoding technique. The Bot itself does not come equipped with a decoding algorithm, instead of using just simple functions that are programmed to send encrypted information to the control server, where stolen passwords and other data are decrypted.

Even though the core feature-set of Pony trojan has not changed drastically over the course of its lifespan, newer versions of the malware gained several anti-detection features designed to prevent research and disassembly of the malware. As such, in addition to standard anti-evasion and debugging techniques, each attacker has the ability to implement various packers, including custom ones, to avoid detection by antivirus software.

With the use of Packers, the malware gains a Russian “matryoshka” nesting-doll like-design. While the payload is inactive when the package containing Pony stealer is analyzed, the final payload cannot be detected by antivirus signatures since it is hidden in the innermost and smallest package. However, once activated, the Pony loader has to unpack itself, thus revealing its presence.

Pony malware analysis

A video of a simulation recorded in ANY.RUN malware hunting service helps us to perform the analysis of the behavior of Pony in-depth.

process graph of the pony execution Figure 1: A process graph generated by ANY.RUN enables to examine the lifecycle of Pony in a visual form

text report of a Pony analysis Figure 2: Customizable text reports provided by ANY.RUN gives more opportunities for research or sharing of study results

Pony malware execution process

In the case of our simulation, after the user ran the malicious file, the malware launched itself. Next, the malicious executable file connected to the C2 server and started stealing information from the infected system. It should be noted that in some cases, Pony is known to download other malware to the victim’s machine.

Distribution of Pony malware

Based on the analysis, Pony is distributed in multiple ways, including email spam campaigns, exploit kits and DNS poisoning. Also, Pony can be hidden within free downloadable online programs and can mimic legitimate software. For example, malicious emails usually include either a Microsoft Word archive or a JavaScript file. As soon as the document is downloaded and opened, Pony injects the victim’s PC and starts execution.

Another attack vector of Pony is through a compromised DNS server which is infected by another malware. In this case, the victim is redirected to a malicious website from where Pony downloads itself onto the users’ PC.

How to detect Pony stealer using ANY.RUN?

Analysts can perform an analysis of what changes the malware made in the registry. Just click on the process and then on the button "More Info" in the appeared window. Then, in the "Advanced details of process" window, switch to the "Registry changes" tab. Note that you can switch between the friendly and raw display of changes. You can also try this method while analyzing GootKit or Danabot.

pony fareit registry changes Figure 3: Registry changes made by Pony

Conclusion

Availability and robust feature set helped make Pony stealer one of the most widely used information stealers. In fact, this malware is regularly being used in attacks targeting Europe and North America. The danger of Pony attacks is further enhanced by its nesting-doll-like design, where the final payload hides within a layered package, allowing to avoid easy detection. Interactive malware hunting service ANY.RUN gives researchers the ability to take a look at how this dangerous malware functions and examine its behavior in action in a safe environment.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy