{"id":2600,"date":"2024-09-25T18:59:39","date_gmt":"2024-09-25T18:59:39","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2600"},"modified":"2025-07-29T05:37:27","modified_gmt":"2025-07-29T05:37:27","slug":"taking-pony-malware-for-a-ride","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/taking-pony-malware-for-a-ride\/","title":{"rendered":"Taking Pony malware for a ride"},"content":{"rendered":"
\n
\"pony\"
pony<\/figcaption><\/figure>\n<\/div>\n\n\n

Despite its cute name, \u2018Pony\u2019 is anything but. Bucking the recent ransomware trend<\/a>, Pony is a form of credential stealing malware which is designed to pilfer log in credentials and is typically spread via spam email campaigns.

It has been implicated in the massive Equifax data breach<\/a>, which saw the personal details of more than 145 million people stolen, and was particularly popular after its release in 2013 where it was used to steal $200,000 in bitcoin<\/a> and 700,000 log in credentials. \u00a0

During a recent analysis of a Pony sample, we observed a call back which we\u2019ll unpack in today\u2019s post.\u00a0

Static properties of the sample<\/strong><\/ins>

MD5: C13C6AB0CC0AD7E045259E16ED768683
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1 Malicious Indicators of the malware<\/em>

After detecting the indicators and static properties of the sample, we checked for artefacts like libraries, imports and strings:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2 Interesting strings<\/em>

We discovered what appears to be usernames, passwords and Pony call back URLS. Further analysis discovered even more passwords in the strings:\u00a0\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3 Strings (passwords)<\/em>

We believe this password list indicates commonly used passwords which are used in brute force attacks. Subsequent analysis uncovered Pony\u2019s password stealer ability, in which it calls a query for encrypted passwords:<\/p>\n\n\n\n

\u2022    000000014070   000000416070      0   signons.sqlite<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

\u2022    00000001407F   00000041607F      0   signons.txt

\u2022    00000001408B   00000041608B      0   signons2.txt

\u2022    000000014098   000000416098      0   signons3.txt<\/p>\n\n\n\n

\u2022    000000014070   000000416070      0   signons.sqlite<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\u2022    0000000140B1   0000004160B1      0   SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins<\/td><\/tr>
\u2022    0000000140F7   0000004160F7      0   Firefox<\/td><\/tr>
\u2022    0000000140FF   0000004160FF      0   \\Mozilla\\Firefox\\<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

\u2022\u00a0\u00a0 \u00a0000000014111 \u00a0 000000416111 \u00a0 \u00a0 \u00a00 \u00a0 Software\\Mozilla

\u2022\u00a0\u00a0 \u00a0000000014126 \u00a0 000000416126 \u00a0 \u00a0 \u00a00 \u00a0 ftp:\/\/

\u2022\u00a0\u00a0 \u00a000000001412D \u00a0 00000041612D \u00a0 \u00a0 \u00a00 \u00a0 http:\/\/

\u2022\u00a0\u00a0 \u00a0000000014135 \u00a0 000000416135 \u00a0 \u00a0 \u00a00 \u00a0 https:\/\/

\u2022\u00a0\u00a0 \u00a0000000014143 \u00a0 000000416143 \u00a0 \u00a0 \u00a00 \u00a0 fireFTPsites.dat

\u2022\u00a0\u00a0 \u00a0000000014154 \u00a0 000000416154 \u00a0 \u00a0 \u00a00 \u00a0 SeaMonkey

\u2022\u00a0\u00a0 \u00a000000001415E \u00a0 00000041615E \u00a0 \u00a0 \u00a00 \u00a0 \\Mozilla\\SeaMonkey\\

Our sample primarily targeted passwords stored in Mozilla Firefox browsers. The query is trying to fetch the hostname, encrypted username, and encrypted password from Moz_logins table.\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Figure 4 Signons.sqlite (moz_logins)<\/em>

In addition to stored log in details, Pony also targeted FTP details\u2026

\u2022\u00a0\u00a0 \u00a000000001488B \u00a0 00000041688B \u00a0 \u00a0 \u00a00 \u00a0 Software\\LinasFTP\\Site Manager

\u2022\u00a0\u00a0 \u00a0000000014900 \u00a0 000000416900 \u00a0 \u00a0 \u00a00 \u00a0 Software\\SimonTatham\\PuTTY\\Sessions

\u2022\u00a0\u00a0 \u00a0000000014989 \u00a0 000000416989 \u00a0 \u00a0 \u00a00 \u00a0 FTP destination server

\u2022\u00a0\u00a0 \u00a00000000149A0 \u00a0 0000004169A0 \u00a0 \u00a0 \u00a00 \u00a0 FTP destination user

\u2022\u00a0\u00a0 \u00a00000000149B5 \u00a0 0000004169B5 \u00a0 \u00a0 \u00a00 \u00a0 FTP destination password

\u2022\u00a0\u00a0 \u00a00000000149CE \u00a0 0000004169CE \u00a0 \u00a0 \u00a00 \u00a0 FTP destination port

\u2022\u00a0\u00a0 \u00a00000000149E3 \u00a0 0000004169E3 \u00a0 \u00a0 \u00a00 \u00a0 FTP destination catalog

\u2022\u00a0\u00a0 \u00a00000000149FB \u00a0 0000004169FB \u00a0 \u00a0 \u00a00 \u00a0 FTP profiles

\u2022\u00a0\u00a0 \u00a0000000014A08 \u00a0 000000416A08 \u00a0 \u00a0 \u00a00 \u00a0 FTPShell

\u2022\u00a0\u00a0 \u00a0000000014A11 \u00a0 000000416A11 \u00a0 \u00a0 \u00a00 \u00a0 ftpshell.fsi

\u2022\u00a0\u00a0 \u00a0000000014A1E \u00a0 000000416A1E \u00a0 \u00a0 \u00a00 \u00a0 Software\\MAS-Soft\\FTPInfo\\Setup

\u2026 and SMTP email details, including server details, usernames and passwords. Outlook details are also captured:\u00a0

\u2022\u00a0\u00a0 \u00a0000000014F3C \u00a0 000000416F3C \u00a0 \u00a0 \u00a00 \u00a0 IMAP Password2

\u2022\u00a0\u00a0 \u00a0000000014F4B \u00a0 000000416F4B \u00a0 \u00a0 \u00a00 \u00a0 NNTP Password2

\u2022\u00a0\u00a0 \u00a0000000014F5A \u00a0 000000416F5A \u00a0 \u00a0 \u00a00 \u00a0 HTTPMail Password2

\u2022\u00a0\u00a0 \u00a0000000014F6D \u00a0 000000416F6D \u00a0 \u00a0 \u00a00 \u00a0 SMTP Password2

\u2022\u00a0\u00a0 \u00a0000000014F7D \u00a0 000000416F7D \u00a0 \u00a0 \u00a00 \u00a0 POP3 Password

\u2022\u00a0\u00a0 \u00a0000000014F8B \u00a0 000000416F8B \u00a0 \u00a0 \u00a00 \u00a0 IMAP Password

\u2022\u00a0\u00a0 \u00a0000000014F99 \u00a0 000000416F99 \u00a0 \u00a0 \u00a00 \u00a0 NNTP Password

\u2022\u00a0\u00a0 \u00a0000000014FA7 \u00a0 000000416FA7 \u00a0 \u00a0 \u00a00 \u00a0 HTTP Password

\u2022\u00a0\u00a0 \u00a0000000014FB5 \u00a0 000000416FB5 \u00a0 \u00a0 \u00a00 \u00a0 SMTP Password

\u2022\u00a0\u00a0 \u00a0000000014FC4 \u00a0 000000416FC4 \u00a0 \u00a0 \u00a00 \u00a0 Software\\Microsoft\\Internet Account Manager\\Accounts

\u2022\u00a0\u00a0 \u00a0000000014FF9 \u00a0 000000416FF9 \u00a0 \u00a0 \u00a00 \u00a0 Identities

\u2022\u00a0\u00a0 \u00a0000000015004 \u00a0 000000417004 \u00a0 \u00a0 \u00a00 \u00a0 Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts

\u2022\u00a0\u00a0 \u00a0000000015043 \u00a0 000000417043 \u00a0 \u00a0 \u00a00 \u00a0 Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Microsoft Outlook Internet Settings

\u2022\u00a0\u00a0 \u00a00000000150B9 \u00a0 0000004170B9 \u00a0 \u00a0 \u00a00 \u00a0 Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook

\u2022\u00a0\u00a0 \u00a0000000015113 \u00a0 000000417113 \u00a0 \u00a0 \u00a00 \u00a0 Software\\Microsoft\\Internet Account Manager

\u2022\u00a0\u00a0 \u00a000000001513F \u00a0 00000041713F \u00a0 \u00a0 \u00a00 \u00a0 Outlook

\u2022\u00a0\u00a0 \u00a0000000015147 \u00a0 000000417147 \u00a0 \u00a0 \u00a00 \u00a0 \\Accounts

\u2022\u00a0\u00a0 \u00a0000000015151 \u00a0 000000417151 \u00a0 \u00a0 \u00a00 \u00a0 identification

\u2022\u00a0\u00a0 \u00a0000000015160 \u00a0 000000417160 \u00a0 \u00a0 \u00a00 \u00a0 identitymgr

\u2022\u00a0\u00a0 \u00a000000001516C \u00a0 00000041716C \u00a0 \u00a0 \u00a00 \u00a0 inetcomm server passwords

\u2022\u00a0\u00a0 \u00a0000000015186 \u00a0 000000417186 \u00a0 \u00a0 \u00a00 \u00a0 outlook account manager passwords

The sample also contained two clsid (class identifier) numbers, neither of which were legitimate:

\u2022\u00a0\u00a0 \u00a0{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

\u2022\u00a0\u00a0 \u00a0{9EA55529-E122-4757-BC79-E4825F80732C}

Further research on these two clsid links them to Pony and Vawtrak malware variants. These clsid numbers can be used as indicators of compromise for detecting either malware strain infections in host machines.\u00a0<\/p>\n\n\n\n

Behavioural Analysis<\/strong><\/ins>

After executing the sample in our control environment, we observed the malware seeking out the following registry entries:

\u2022    SOFTWARE\\MICROSOFT\\WINDOWS LIVE MAIL

\u2022    SOFTWARE\\MICROSOFT\\INTERNET ACCOUNT MANAGER\\ACCOUNTS

\u2022    IDENTITIES\\{57AB3677-534E-4173-8F92-6566F6F82F10}\\SOFTWARE\\MICROSOFT\\INTERNET ACCOUNT MANAGER\\ACCOUNTS

\u2022    SOFTWARE\\MICROSOFT\\OFFICE\\OUTLOOK\\OMI ACCOUNT MANAGER\\ACCOUNTS

\u2022    SOFTWARE\\MICROSOFT\\WINDOWS LIVE MAIL

Software\\FlashPeak\\BlazeFtp\\Settings

Pony then attempts to steal the mail and FTP credentials before calling back to the following URLs:<\/p>\n\n\n\n

hxxp:\/\/139.99.8(.)218\/~blininfo\/temp\/shit.exe    <\/td><\/tr>
hxxp:\/\/139.99.8(.)218\/~blininfo\/temp\/gate.php    <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

We accessed these manually and were greeted with only 404 errors. We then observed batch files get dropped in the temp location, which upon execution deleted both the parent and batch files:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0

Figure 5 Batch file<\/em><\/p>\n\n\n\n

Prevention<\/strong><\/ins>

Based on the threat intelligence, we\u2019ve developed yara rules to identify Pony malware infections:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0

Figure 6 Pony Yara rule to test<\/em>

The yara rules were tested against this malware sample and detected it without any issue:\u00a0
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Figure 7 Yara rule detects the pony sample<\/em>

IOC Details:<\/strong><\/ins>

Url:<\/strong>

hxxp:\/\/139.99.8(.)218\/~blininfo\/temp\/shit.exe\u00a0\u00a0 \u00a0

hxxp:\/\/139.99.8(.)218\/~blininfo\/temp\/gate.php\u00a0\u00a0 \u00a0<\/p>\n\n\n\n

Conclusion<\/strong>

Not only is Pony a credential stealer, it also compromises the host which can lead to further malware downloads. Although the call back URLs resulted in 404 errors, they should be blocked in proxy and firewall settings. Finally, the above yara rules can detect the malware in the host, and so can be used in any compromise assessment. 

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Despite its cute name, ‘Pony’ is anything but. Bucking the recent ransomware trend, Pony is a form of credential stealing malware which is designed to pilfer log in credentials and is typically spread via spam email campaigns. It has been implicated in the massive Equifax data breach, which saw the personal details of more than […]<\/p>\n","protected":false},"author":1,"featured_media":2609,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2600","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2600"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2600\/revisions"}],"predecessor-version":[{"id":4295,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2600\/revisions\/4295"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2609"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2600"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}