Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011 and it still actively attacks users in Europe and America.

Type
Stealer
Origin
Unknown
First seen
1 January, 2011
Last seen
30 September, 2020
Also known as
Fareit
Siplog
Global rank
9
Week rank
14
Month rank
20
IOCs
9151

What is Pony malware?

Pony, also known as Fareit or Siplog, is an information stealer and loader – a malware used to collect data from infected machines and install other malicious programs. This particular virus was First Spotted in the wild in 2011. It is known to attack users primarily in Europe and North America.

The earliest discovered version of Pony stealer is 1.7 and the latest updated known version is 2.2. Though, being regularly updated, the malware did not gain groundbreakingly new features since the time of its first discovery by Microsoft. In addition to the core functionality, Pony can also steal cryptocurrency wallets credentials, FTP clients and autofill values from the browsers.

In contrast to the majority of botnets, Pony stealer does not require a centralized C&C server or a group of C&C servers to carry out its attacks. Instead, each attacker can set up their own custom control server or purchase a server that was previously set up by another criminal, instantly gaining access to infrastructure that provides reports about the stolen data. The malware itself can be divided into two modules, the builder which is used to construct clients that are then have to be downloaded on the victim’s machine to collect data and the bot itself – the final payload.

General description of Pony malware

The robust functionality of Pony trojan helped this malware to keep its position of the most popular password stealer through 5 years. Apart from being able to steal credentials, Pony malware can disable certain antivirus and windows security features and run in the background completely hidden from the user, who may not have a clue that his or her PC is, in fact, infected. When activated, Pony stealer can use the infected PC to take part in botnet attacks, for example, using a hijacked machine to send spam emails. Pony can also download other malware to the victim’s machine and send harvested personal data to a destination specified by the attacker.

What’s more, Pony has been mentioned by multiple “hacker celebrities” as the backbone of many attack campaigns. For instance, the author of the infamous Andromeda botnet has referred to Pony as “titanic work of the author of miracle (Fareit Bot)”, further stating that Pony loader was incorporated in the Andromeda botnet attacks as a plug-in.

Part of the malware’s popularity is due to the fact that the source code of multiple Pony loader versions has been leaked and is available for download in the darknet. Particularly, the source code of Pony builder and loader versions 1.9 and 2.0 are available for download on several underground forums.

The Pony stealer builder is a program that attackers can use to construct custom Pony bots with pre-programmed C&C addresses, where stolen data can be sent. The Pony Bot is the actual program that is used for information stealing. The Bot is written primarily in assembly language. A peculiar feature of this malware that separates it from the rest of the pack is its unique decoding technique. The Bot itself does not come equipped with a decoding algorithm, instead of using just simple functions that are programmed to send encrypted information to the control server, where stolen passwords and other data are decrypted.

Even though the core feature-set of Pony trojan has not changed drastically over the course of its lifespan, newer versions of the malware gained several anti-detection features, designed to prevent research and disassembly of the malware. As such, in addition to standard anti-evasion and debugging techniques, each attacker has the ability to implement various packers, including custom ones, to avoid detection by antivirus software.

With the use of Packers, the malware gains a Russian “matryoshka” nesting-doll like-design. While the payload is inactive when the package containing Pony stealer is analyzed the final payload cannot be detected by antivirus signatures since it is hidden in the innermost and smallest package. However, once activated Pony loader has to unpack itself, thus revealing its presence.

Pony malware analysis

A video of a simulation recorded in ANY.RUN malware hunting service helps us to examine the behavior of Pony in-depth.

process graph of the pony execution Figure 1: A process graph generated by ANY.RUN enables to examine the lifecycle of Pony in a visual form

text report of a Pony analysis Figure 2: Customizable text reports provided by ANY.RUN gives more opportunities for research or sharing of study results

Pony malware execution process

In the case of our simulation, after the malicious file was run by the user the malware launched itself. Next, the malicious executable file connected to the C2 server and started stealing information from the infected system. It should be noted that in some cases Pony is known to download other malware to the victim’s machine.

Distribution of Pony malware

Pony is distributed in multiple ways, among which are email spam campaigns, exploit kits and DNS poisoning. Also, Pony can be hidden within free downloadable online programs and can mimic legitimate software. Malicious emails usually include either a Microsoft Word, archive or a JavaScript file. As soon as the document is downloaded and opened Pony injects into the victim’s PC and starts execution.

Another attack vector of Pony is through a compromised DNS server which is infected by another malware. In this case, the victim is redirected to a malicious website from where Pony downloads itself onto the users’ PC.

How to detect Pony stealer using ANY.RUN?

Analysts can take a look at what changes the malware made in the registry. Just click on the process and then on the button "More Info" in the appeared window. In "Advanced details of process" window switch to the "Registry changes" tab. Note that you can switch between the friendly and raw display of changes.

pony fareit registry changes Figure 3: Registry changes made by Pony

Conclusion

Availability and robust feature set helped make Pony stealer one of the most widely used information stealers. In fact, this malware is regularly being used in attacks targeting Europe and North America. The danger of Pony attacks is further enhanced by its nesting-doll-like design, where the final payload hides within a layered package, allowing to avoid easy detection. Interactive malware hunting service ANY.RUN gives researchers the ability to take a look at how this dangerous malware functions and examine its behavior in action in a safe environment.

IOCs

IP addresses
185.151.30.147
213.186.33.16
195.201.179.80
23.227.38.32
195.22.26.248
198.54.117.197
160.153.136.3
207.241.224.2
209.99.40.222
103.224.182.251
194.180.224.87
81.169.145.86
185.10.112.34
67.227.226.240
185.107.227.241
69.16.230.42
202.92.6.10
5.144.130.32
192.186.31.187
192.186.31.187
Hashes
ca9e07de43dc9e03c7f4ef41de7150e63700bc741839b3be2d17ba2cbf28c757
ab9d30b34b79ea84c01cd9ba6df9957212e40a7014e7b6c4c68df883d30c86d7
f395acb3bcab2dd4132ef41008d05b497188410477ae11c2bca13ba9da752b79
396bbb76b0072bca8e8dc20bee1c1a0a76f966644b070706b33b1332e464f2dc
512614d4683ffe32c440266c41ca1a5b0cc9949b78850d3c131c1da388c6003d
7de7e2620d9e26f426b22180811109ded87b55c64262f67d7e170acc1b3ef5d8
ac66cc80c30ece6bf62d68ec55f63966d01ff8b5963822c9f9621b155a0a7f99
f9fe70087a37a3eaac20255c6952cc002db748860dae36ab6c9da8a876af8c5e
006a388f7b436a1dfe32617c77f4aae931233b449a4d3043f2e85343f6af882e
e1cd12f28a2308772ba63e22e357345250815077c2e0216c4303fd2a5cf6eb58
e0fc5db36800316460bb35a03727be595a0fc7ec53bc6907c90149aec356a7a1
08f7f3ad0e0191dd8fc37d649852684a68a895bd6daa5ec09caf63964568dc59
fb508585164ec061537da69d60578d06516b921fb545b5d7ea70759cad7f824f
e12065f977f034356abe4220287c67c158d73a6995532cf6d827fe455b880882
a43acab577f50683a0f59d78fc501544904c2d01c4a9b191c43fc6ac9d4bc592
9bc71dc6b00e4ccd334fce7cb46f87a66d674199beef573ceab2efcf23933dd6
8e7fe52628bc67029b24b85fb8fcdd2ef5fdda32d46ec8163a1965b918040047
27aed3fcd727385b398ff3ada702d0e9198541b6b45cefccb22856866b1b1626
c9f6cda6f36ca9405dcac12a0f967afcfe1724fcbccc88d952c3bafb6b878c92
a662e1d17ab4feb40a55aa66278ca812c4c7d0a1ea23204290a4e0e679719e3b
Domains
karila.fr
doggybag.org
www.valselit.com
mkm-gr.com
banvari.com
valselit.com
sync-time.info
www.decenthat.com
anthropologydentist.website
ns1.anthropologydentist.website
www.bezholesterol.info
saint-mary.us
hyoeyeep.ws
xnewlook.com
tinylittlevoice.in
www.lessthan150.com
www.pensionhotel.us
stanmartin.info
www.vntask.com
www.tualmiasde.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More