Pony

Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America.

Type
Stealer
Origin
Unknown
First seen
1 January, 2011
Last seen
26 January, 2023
Also known as
Fareit
Siplog
Global rank
17
Week rank
24
Month rank
24
IOCs
84579

What is Pony malware?

Pony, also known as Fareit or Siplog, is an information stealer and loader – a malware used to collect data from infected machines and install other malicious programs. This particular virus was First Spotted in the wild in 2011. It is known to attack users primarily in Europe and North America.

The earliest discovered version of Pony stealer is 1.7, and the latest updated known version is 2.2. Though being regularly updated, the malware did not gain groundbreakingly new features since the time of its first discovery by Microsoft. In addition to the core functionality, Pony can also steal cryptocurrency wallet credentials, FTP clients, and autofill values from the browsers.

In contrast to the majority of botnets, Pony stealer does not require a centralized C&C server or a group of C&C servers to carry out its attacks. Instead, each attacker can set up their own custom control server or purchase a server that was previously set up by another criminal, instantly gaining access to infrastructure that provides reports about the stolen data. In addition, the malware itself can be divided into two modules, the builder, which is used to construct clients that are then have to be downloaded on the victim’s machine to collect data, and the bot itself – the final payload.

General description of Pony malware

The robust functionality of Pony trojan helped this malware to keep its position as the most popular password stealer through 5 years. Apart from being able to steal credentials the same as RedLine, malware can disable certain antivirus and windows security features and run in the background completely hidden from the user, who may not have a clue that his or her PC is, in fact, infected. When activated, Pony stealer can use the infected PC to take part in botnet attacks, for example, using a hijacked machine to send spam emails. Pony can also download other malware to the victim’s machine and send harvested personal data to a destination specified by the attacker.

What’s more, Pony has been mentioned by multiple “hacker celebrities” as the backbone of many attack campaigns. For instance, the author of the infamous Andromeda botnet has referred to Pony as the “titanic work of the author of miracle (Fareit Bot),” further stating that the loader was incorporated in the Andromeda botnet attacks as a plug-in.

Part of the malware’s popularity is because the source code of multiple Pony loader versions has been leaked and is available for download on the darknet. Particularly, the source code of Pony builder and loader versions 1.9 and 2.0 are available for download on several underground forums.

The Pony stealer builder is a program that attackers can use to construct custom Pony bots with pre-programmed C&C addresses, where stolen data can be sent. The Pony Bot is the actual program that is used for information stealing. According to the analysis, the Bot is written primarily in assembly language. A peculiar feature of this malware that separates it from the rest of the pack is its unique decoding technique. The Bot itself does not come equipped with a decoding algorithm, instead of using just simple functions that are programmed to send encrypted information to the control server, where stolen passwords and other data are decrypted.

Even though the core feature-set of Pony trojan has not changed drastically over the course of its lifespan, newer versions of the malware gained several anti-detection features designed to prevent research and disassembly of the malware. As such, in addition to standard anti-evasion and debugging techniques, each attacker has the ability to implement various packers, including custom ones, to avoid detection by antivirus software.

With the use of Packers, the malware gains a Russian “matryoshka” nesting-doll like-design. While the payload is inactive when the package containing Pony stealer is analyzed, the final payload cannot be detected by antivirus signatures since it is hidden in the innermost and smallest package. However, once activated, the Pony loader has to unpack itself, thus revealing its presence.

Pony malware analysis

A video of a simulation recorded in ANY.RUN malware hunting service helps us to perform the analysis of the behavior of Pony in-depth.

process graph of the pony execution Figure 1: A process graph generated by ANY.RUN enables to examine the lifecycle of Pony in a visual form

text report of a Pony analysis Figure 2: Customizable text reports provided by ANY.RUN gives more opportunities for research or sharing of study results

Pony malware execution process

In the case of our simulation, after the user ran the malicious file, the malware launched itself. Next, the malicious executable file connected to the C2 server and started stealing information from the infected system. It should be noted that in some cases, Pony is known to download other malware to the victim’s machine.

Distribution of Pony malware

Based on the analysis, Pony is distributed in multiple ways, including email spam campaigns, exploit kits and DNS poisoning. Also, Pony can be hidden within free downloadable online programs and can mimic legitimate software. For example, malicious emails usually include either a Microsoft Word archive or a JavaScript file. As soon as the document is downloaded and opened, Pony injects the victim’s PC and starts execution.

Another attack vector of Pony is through a compromised DNS server which is infected by another malware. In this case, the victim is redirected to a malicious website from where Pony downloads itself onto the users’ PC.

How to detect Pony stealer using ANY.RUN?

Analysts can perform an analysis of what changes the malware made in the registry. Just click on the process and then on the button "More Info" in the appeared window. Then, in the "Advanced details of process" window, switch to the "Registry changes" tab. Note that you can switch between the friendly and raw display of changes. You can also try this method while analyzing GootKit or Danabot.

pony fareit registry changes Figure 3: Registry changes made by Pony

Conclusion

Availability and robust feature set helped make Pony stealer one of the most widely used information stealers. In fact, this malware is regularly being used in attacks targeting Europe and North America. The danger of Pony attacks is further enhanced by its nesting-doll-like design, where the final payload hides within a layered package, allowing to avoid easy detection. Interactive malware hunting service ANY.RUN gives researchers the ability to take a look at how this dangerous malware functions and examine its behavior in action in a safe environment.

IOCs

IP addresses
186.202.157.79
104.18.36.225
160.153.131.199
192.185.214.199
162.248.241.106
173.44.60.58
5.79.68.109
131.72.236.163
85.17.187.29
45.64.104.223
45.95.168.70
107.175.150.73
79.134.225.45
81.2.195.30
45.15.143.189
185.50.197.168
182.18.134.41
209.99.40.223
192.145.234.108
62.210.13.160
Hashes
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
27df3ea785d8cb2753674efde2a0374425aba3669f4c889f1c33792716b4465e
135ececcad2ea6f930d8df8c44b3059bd2c852b203a4bcb0c6f9a9f1a993f3fd
59e2976cc766af602b459e916a2af13894704e56ad15ea12dd4d96b51ccb1e70
8ea8ade4223cbe9ac7fa87d10e67caeef69e0bb480f2c011f8c40c25c13e6c82
9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5
c9cc3d90cd09ca8116516b7c09994a5555971edfe903f90902652c36a0b16913
f431b9e474fca77c9cd6265cfa6224845371d1cf281b3c8b48eb050d055f72fe
112be48ba85ddaefc4aa6397e8a1728693c62231749dc3ce98af586283fc53e2
d2f4cbf952047e9df3d8177f858e1c1ca400d47f5450bd64a362a6ddbb68b29c
a80a13a018b771055f4129bb9fbc73eaf1d968db3712a57b8443eb25bf120c4a
f5e048345236be109e3e42d648840377375625d5919e30fb7f18b06dd98cc2ba
3f9bfbb9ac8cde1e7038b66d961dd149be2f86348c0a30d4455cffed6dc1614e
6739aa28e378b65585a1e2d1c6c414335d93957b89761fb2520e9fbe2b6d7666
2a54903b91ddc1640c17844786301caa15e75a61b0d67146f1b3ea5925e8cfee
571ac134ebe1d479c0938d55af9c6d7e8914df9b5055f8e057e4a8815f4f2b78
cd6962fb880e57476640c7c4e3cbce0c892723faa004abe2163097c5573d2055
3317f627660a002804a5db5e601016d1f125601ffd369dfd8b83f542e1036f6c
0d713c9ed0e44561e16f5310d37074de57c0eaf6eede9204d48f68261ec67979
7122751e8a39004a0d52fa659f24431812f24406fe6354792df07dbdb5628a6f
Domains
cloudflare.hcaptcha.com
postback.trafficmotor.com
unetbootin.sourceforge.net
boards.us.greenhouse.io
fonts.bunny.net
matching.ivitrack.com
static.hugedomains.com
zefoy.com
booking.msg.bluhotels.com
booking.msg.bluhotels.com
ww82.keznews.com
0.pool.ntp.org
medastr.com
bascif.com
handous.net
alfa-sentavra.at
adonis-medicine.at
carder.bit
derweekge.com
zerit.top

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy