Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011 and it still actively attacks users in Europe and America.

Type
Stealer
Origin
Unknown
First seen
1 January, 2011
Last seen
17 January, 2020
Also known as
Fareit
Siplog
Global rank
8
Week rank
15
Month rank
18
IOCs
5220

What is Pony malware?

Pony, also known as Fareit or Siplog, is an information stealer and loader – a malware used to collect data from infected machines and install other malicious programs. This particular virus was First Spotted in the wild in 2011. It is known to attack users primarily in Europe and North America.

The earliest discovered version of Pony stealer is 1.7 and the latest updated known version is 2.2. Though, being regularly updated, the malware did not gain groundbreakingly new features since the time of its first discovery by Microsoft. In addition to the core functionality, Pony can also steal cryptocurrency wallets credentials, FTP clients and autofill values from the browsers.

In contrast to the majority of botnets, Pony stealer does not require a centralized C&C server or a group of C&C servers to carry out its attacks. Instead, each attacker can set up their own custom control server or purchase a server which was previously set up by another criminal, instantly gaining access to infrastructure that provides reports about the stolen data. The malware itself can be divided into two modules, the builder which is used to construct clients that are then have to be downloaded on the victim’s machine to collect data and the bot itself – the final payload.

General description of Pony

The robust functionality of Pony trojan helped this malware to keep its position of the most popular password stealer through 5 years. Apart from being able to steal credentials, Pony malware can disable certain antivirus and windows security features and run in the background completely hidden from the user, who may not have a clue that his or her PC is, in fact, infected. When activated, Pony stealer can use the infected PC to take part in botnet attacks, for example, using a hijacked machine to send spam emails. Pony can also download other malware to the victim’s machine and send harvested personal data to a destination specified by the attacker.

What’s more, Pony has been mentioned by multiple “hacker celebrities” as the backbone of many attack campaigns. For instance, the author of the infamous Andromeda botnet has referred to Pony as “titanic work of the author of miracle (Fareit Bot)”, further stating that Pony was incorporated in the Andromeda botnet attacks as a plug-in.

Part of the malware’s popularity is due to the fact that the source code of multiple Pony loader versions has been leaked and is available for download in the darknet. Particularly, the source code of Pony builder and loader versions 1.9 and 2.0 are available for download on several underground forums.

The Pony stealer builder is a program which attackers can use to construct custom Pony bots with pre-programmed C&C addresses, where stolen data can be sent. The Pony Bot is the actual program that is used for information stealing. The Bot is written primarily in assembly language. A peculiar feature of this malware that separates it from the rest of the pack is its unique decoding technique. The Bot itself does not come equipped with a decoding algorithm, instead of using just simple functions which are programmed to send encrypted information to the control server, where stolen passwords and other data is decrypted.

Even though the core feature-set of Pony trojan has not changed drastically over the course of its lifespan, newer versions of the malware gained several anti-detection features, designed to prevent research and disassembly of the malware. As such, in addition to standard anti-evasion and debugging techniques, each attacker has the ability to implement various packers, including custom ones, to avoid detection by antivirus software.

With the use of Packers, the malware gains a Russian “matryoshka” nesting-doll like-design. While the payload is inactive when the package containing Pony stealer is analyzed the final payload cannot be detected by antivirus signatures since it is hidden in the innermost and smallest package. However, once activated Pony has to unpack itself, thus revealing its presence.

Pony malware analysis

A video of a simulation recorded in ANY.RUN malware hunting service helps us to examine the behavior of Pony in-depth.

process graph of the pony execution Figure 1: A process graph generated by ANY.RUN enables to examine the lifecycle of Pony in a visual form

text report of a pony analysis Figure 2: Customizable text reports provided by ANY.RUN give more opportunities for research or sharing of study results

Pony execution process

In the case of our simulation, after the malicious file was run by the user the malware launched itself. Next, the malicious executable file connected to the C2 server and started stealing information from the infected system. It should be noted that in some cases Pony is known to download other malware to the victim’s machine.

Distribution of Pony malware

Pony is distributed in multiple ways, among which are email spam campaigns, exploit kits and DNS poisoning. Also, Pony can be hidden within free downloadable online programs and can mimic legitimate software. Malicious emails usually include either a Microsoft Word, archive or a JavaScript file. As soon as the document is downloaded and opened Pony injects into the victim’s PC and starts execution.

Another attack vector of Pony is through a compromised DNS server which is infected by another malware. In this case, the victim is redirected to a malicious website from where Pony downloads itself onto the users’ PC.

How to detect Pony stealer using ANY.RUN?

Analysts can take a look at what changes malware made in the registry. Just click on the process and then on the button "More Info" in the appeared window. In "Advanced details of process" window switch to the "Registry changes" tab. Note that you can switch between the friendly and raw display of changes.

pony fareit registry changes Figure 3: Registry changes made by Pony

Conclusion

Availability and robust feature set helped make Pony stealer one of the most widely used information stealers. In fact, this malware is regularly being used in attacks targeting Europe and North America. The danger of Pony attacks is further enhanced by its nesting-doll-like design, where the final payload hides within a layered package, allowing to avoid easy detection. Interactive malware hunting service ANY.RUN gives researchers the ability to take a look at how this dangerous malware functions and examine its behavior in action in a safe environment.

IOCs

IP addresses
103.224.182.251
198.54.117.197
67.227.226.240
49.50.95.219
198.54.117.200
207.241.224.2
195.123.220.107
23.227.38.32
162.210.96.127
185.58.213.110
166.62.109.21
209.99.40.222
213.186.33.2
111.118.212.167
209.99.40.223
69.49.115.40
192.185.111.172
185.193.52.212
199.204.248.120
45.64.104.223
Hashes
266805d4e8c20829d7ed8fd3977b61ec8f0f0ef91dca8b742b62e6b853c1e143
acf4c95240603c4b48418d14ee63c755020f5a6691e2c8c58aec54fc9401ec6a
5af46ef9837a24a317cfe6a07e882c58d29a526f6a07e3ae316bd0ff1e3f7e5d
392ea17c17eded37d2f6661387aa104ba602491487a6f6997320b6257775561f
73dc89b78ac22d1b5815ddccda8789c1c3671e7bad6ce1b83caecc17c098ae02
03eb610217ffeb60e8f1f8fdf748ec6134835d523f3b9ea9573a66438ccd7ff1
d2fee58abaec92772e0c9e39c61cc9edb734b9ec66d924dc70b995cd3853e64b
af4c9dc2b9910489ecdfe5719004cc07f6d10aa6cd305725a6d1560029f6734d
3eb8c0c1eaf30793f633b0f5fa474cc039574598a370ef0029b977b1172427cd
7769918bb52d22cb5f373bb6646a472e1f2a6b51ce0174bcd71b05fdb9fe0c7d
4048e05ba8e5e0f8b015c173045b1fa2892cf40b03a0967e9415fde4621c7dd1
ccbb2dfaa39a222a07dbda6324e2badb908414441c38b35bb343bc7c0057bc3f
ab8ab1689eeb6dad10446f3e79a3c1bcda36fe408809fcbcce5d9f8769caaee9
9af6cee69f27a5d07d5d7dc49631437d177b5dcb375851bf4919fc1930902bac
11b175adee26f979d56bc8b85357cac135383fe07305f72ed576e105f7cb1e7a
32b69b3068174d9940202eed0d2d035d4c12569b8c3e0f29de0ae268dbd0c17b
cfc2c8945c2c2edb949fa92afb360b4340d28a4317b7e435f8f9a9b84d4c3e79
09a39084be748ad8a698d345cdc1f258d6fb3f79694fc9cdb5e7ca27af4d6598
02319d9971ea81969a51843833accaea31ef2af90bef075e7dde5d3ee00c2a62
ba0a4a11018bc4e68fa1aab75613b9ac7539f0f8a346f47b0416ac6c07151463
Domains
a6281279.yolox.net
madmax.stuffpicks.com
stats.stuffpicks.com
dotproject.ari.es
www.filmver.com
www.webbasedroofingsoftware.com
appgoldnews.com
animalcollectiononline.com
srv.desk-top-app.info
tizermedias.com
forums.msgdiscovery.com
www.apmsetup.com
vtboss.yolox.net
uphentaivid.net
hub1.convergator.net
danjan.kilu3.de
wp.hotelembajador.com
pefelie.net
blindseeker.com
www.pantena.net

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More