Pony

Pony, also known as Fareit, is an information stealer and loader – a malware used to collect data from infected machines and install other malicious programs. This particular virus was First Spotted in the wild in 2011. It is known to attack users primarily in Europe and North America.

  • Type
    Stealer
  • Origin
    Unknown
  • First seen
    1 January, 2011
  • Last seen
    21 November, 2019
Also known as
Fareit
Global rank
8
Week rank
18
Month rank
12
IOCs
5038

What is Pony malware?

Pony, also known as Fareit, is an information stealer and loader – a malware used to collect data from infected machines and install other malicious programs. This particular virus was First Spotted in the wild in 2011. It is known to attack users primarily in Europe and North America.

The earliest discovered version of Pony is 1.7 and the latest updated known version is 2.2. Though, being regularly updated, the malware did not gain groundbreakingly new features since the time of its first discovery by Microsoft. In addition to the core functionality, Pony can also steal cryptocurrency wallets credentials, FTP clients and autofill values from the browsers.

In contrast to the majority of botnets, Pony stealer does not require a centralized C&C server or a group of C&C servers to carry out its attacks. Instead, each attacker can set up their own custom control server or purchase a server which was previously set up by another criminal, instantly gaining access to infrastructure that provides reports about the stolen data. The malware itself can be divided into two modules, the builder which is used to construct clients that are then have to be downloaded on the victim’s machine to collect data and the bot itself – the final payload.

General description of Pony

The robust functionality of Pony helped this malware to keep its position of the most popular password stealer through 5 years. Apart from being able to steal credentials, Pony can disable certain antivirus and windows security features and run in the background completely hidden from the user, who may not have a clue that his or her PC is, in fact, infected. When activated, Pony stealer can use the infected PC to take part in botnet attacks, for example, using a hijacked machine to send spam emails. Pony can also download other malware to the victim’s machine and send harvested personal data to a destination specified by the attacker.

What’s more, Pony has been mentioned by multiple “hacker celebrities” as the backbone of many attack campaigns. For instance, the author of the infamous Andromeda botnet has referred to Pony as “titanic work of the author of miracle (Fareit Bot)”, further stating that Pony was incorporated in the Andromeda botnet attacks as a plug-in.

Part of the malware’s popularity is due to the fact that the source code of multiple Pony versions has been leaked and is available for download in the darknet. Particularly, the source code of Pony builder and loader versions 1.9 and 2.0 are available for download on several underground forums.

The Pony builder is a program which attackers can use to construct custom Pony bots with pre-programmed C&C addresses, where stolen data can be sent. The Pony Bot is the actual program that is used for information stealing. The Bot is written primarily in assembly language. A peculiar feature of this malware that separates it from the rest of the pack is its unique decoding technique. The Bot itself does not come equipped with a decoding algorithm, instead of using just simple functions which are programmed to send encrypted information to the control server, where stolen passwords and other data is decrypted.

Even though the core feature-set of Pony has not changed drastically over the course of its lifespan, newer versions of the malware gained several anti-detection features, designed to prevent research and disassembly of the malware. As such, in addition to standard anti-evasion and debugging techniques, each attacker has the ability to implement various packers, including custom ones, to avoid detection by antivirus software.

With the use of Packers, the malware gains a Russian “matryoshka” nesting-doll like-design. While the payload is inactive when the package containing Pony stealer is analyzed the final payload cannot be detected by antivirus signatures since it is hidden in the innermost and smallest package. However, once activated Pony has to unpack itself, thus revealing its presence.

Pony malware analysis

A video of a simulation recorded in ANY.RUN malware hunting service helps us to examine the behavior of Pony in-depth.

process graph of the pony execution Figure 1: A process graph generated by ANY.RUN enables to examine the lifecycle of Pony in a visual form

text report of a pony analysis Figure 2: Customizable text reports provided by ANY.RUN give more opportunities for research or sharing of study results

Pony execution process

In the case of our simulation, after the malicious file was run by the user the malware launched itself. Next, the malicious executable file connected to the C2 server and started stealing information from the infected system. It should be noted that in some cases Pony is known to download other malware to the victim’s machine.

Distribution of Pony

Pony is distributed in multiple ways, among which are email spam campaigns, exploit kits and DNS poisoning. Also, Pony can be hidden within free downloadable online programs and can mimic legitimate software. Malicious emails usually include either a Microsoft Word, archive or a JavaScript file. As soon as the document is downloaded and opened Pony injects into the victim’s PC and starts execution.

Another attack vector of Pony is through a compromised DNS server which is infected by another malware. In this case, the victim is redirected to a malicious website from where Pony downloads itself onto the users’ PC.

How to get more info from the analysis of Pony malware using ANY.RUN?

Analysts can take a look at what changes malware made in the registry. Just click on the process and then on the button "More Info" in the appeared window. In "Advanced details of process" window switch to the "Registry changes" tab. Note that you can switch between the friendly and raw display of changes.

pony fareit registry changes Figure 3: Registry changes made by Pony

Conclusion

Availability and robust feature set helped make Pony one of the most widely used information stealers. In fact, this malware is regularly being used in attacks targeting Europe and North America. The danger of Pony attacks is further enhanced by its nesting-doll-like design, where the final payload hides within a layered package, allowing to avoid easy detection. Interactive malware hunting service ANY.RUN gives researchers the ability to take a look at how this dangerous malware functions and examine its behavior in action in a safe environment.

IOCs

IP addresses
213.186.33.2
192.254.235.39
104.239.157.210
114.57.247.166
23.227.38.32
172.93.103.194
103.253.115.205
67.227.226.240
103.27.72.16
198.54.117.197
8.208.21.228
213.186.33.16
188.214.18.2
103.250.185.138
103.1.220.17
184.168.221.52
47.91.170.222
193.37.213.133
185.141.25.242
185.87.187.198
Hashes
ad27668eef901c894d609b4951bbcf13dfc55f28e9b5cf8288ffcffa9a7df0ec
7d036e2eaa64b65ba2ce6e7865fd4c5d071dee4c24a80fd60c3aaa7b486026ab
7bafeaa0c6547ec5a9374843f15bd8f559836b06492b72646c74c0ff3c0a9c1d
0b5449bcc326e0f77830dd0c02c2dca1a2329f868046e2c70ac9ec435d76a553
660f76350269ff043f38a1be242abde2f1671aad9f4445a96d6e5b1e4642efc0
ae4694a5f69a1db8a666707f594c1740061fb8701ce4c201b04be62dfd2c1ac2
c8f991b8366a59c5bc79c09a1b079953dfc76084931625edf0408b484f457857
d145bb8f8f3abe1710ccc8cf48dcfa28a7c1a020e752881555a367dcf50a5ff8
bbdf3a57a3035007f441460e8f205195f3a66beb5fc8b7de064a38c94789144c
83627fb8623a8fd0e98fe5344b04ac085bacb9f0d021b84b87da33a3c5b95fcb
34e0a2e1610a22b314d18771920c7d227549716524567150784012c440fa678f
6eba1a6e16c05be30095ad078a29b7d8791e69394f2e91bc2af0f46f3e11dc4d
01c7f0ceec97601c2802fe5c8b6939c68a2134a95279a6deba093b3b9ac58d06
51357f80c49e7dd61998efc163b61f187feebe6c374c3b50d259e7c50aef3166
a785161885120253a36f6d9691b37dd193ff4ccc6fcb5f242c88e3c837484834
d8b2ffd30fe5984a39973b92b91efea09d90e39c99bd5b2327205463678e20a6
93a79c562149fb1ad9e901761652e8d07fa3996d958e6eb606b5dbb38772c179
28aa5261526a0254cc2082f1059da2c31262ef5c8259d925189b359e15b05edb
800edbe2939a62a77f6037a9624825056c6be0eb62c5e94902d7932e040ca3be
02bc9f6bd958aa1290d69cc0173020646db3efdc569ae8aa5ae207681b070520
Domains
www.bambootoyou.com
majul.com
metdinfo.com
www.tangomarketingsolutions.com
sanifil.net
pms-center.com
wxanalytics.ru
hikmahmuliautama.co.id
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
isns.net
elx01.knas.systems
server1.monovm.com
adonis-medicine.at
sariincofood.co.id
shop.fluke.com
urbandictionary.store
owenewturk.ru
indextechno.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More