Pony Loader: A Big Threat That Now Steals Cryptocurrency Wallets

Pallavi Varanasi Cloud Security Expert - CloudCodes Software
  • November 1st, 2020

Pony Loader is a year-old data thief Trojan that was earlier used to spread Necurs and Zeus Trojans. But with updates in technology, this threat also got advance. Today, this malware is exclusively being used for phishing campaigns, since the time crimeware source programming was available for sale in underground hacking forums. A research laboratory found 2 variants of this information theft malware that is – Gen: Variant.Media.41711 and Gen: Variant.Injector.124.

Phishing The Mail Attachments

The major source of spreading Pony Loader malware is through emails or email attachments. This threat designs attractive emails and documents name for forcing recipients to open that mail and download its infected file. Such attachments get automatically synchronized with services of the cloud storage that uses ‘file collaboration’ settings in common 3rd party apps or SaaS programs.

The research says that these suspected attachments comprise of .r11 and .ace extensions. Both these file formats are supported by traditional compression software like WinRAR. The compressed archive file with these extensions causes successful exploding of threat, just after the time when the victim executes the file. File decompression leads to the spreading of malware in the PC causing an unexpected disaster on the victim’s computer.

Depth Analysis of Pony Loader

Both the variants of pony loader comprised of binaries within them, which are compacted and complied with MS Visual Basic. Both the payloads are equally responsible to steal account credentials from the victim’s machine because of the multiple services for the password authentication process like the FTP browser and accounts. The availability of binary can be determined by a unique string i.e., YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0. This string is presented in the memory when the Pony Loader binary is in a running state.

Well, the recent edition of the malware tried to fetch credentials from the 35 cryptocurrency wallets. To apply the brute-force attack in user accounts, Pony Loader malware comprises a 232 common password list.

Preventive Measures To Be Safe From Pony Loader

  • Apply common account security policies:
    • Scan all file uploads from the remote devices to sanctioned cloud apps for malware
    • Scan all file uploads from unmanaged applications to sanctioned cloud apps for malware
    • Perform scanning on all the files downloaded from unsanctioned online apps for malware
    • Perform scanning on all the files downloaded from unsanctioned instances of the sanctioned apps for malware
    • Apply the actions like quarantine or block, immediately after malware detection. This will reduce the user impact
    • Block the unsanctioned instances of well-known online applications. This will limit attackers from breaking the customer’s trust in the cloud. It seems quite hard to implement and use but, it surely eliminates the risk of Pony Loader malware attack.
  • Activate the “View known file extensions” feature on PCs having a Windows Operating system.
  • Enforce data loss prevention policies for controlling documents and information, covering inside as well as outside network.
  • Periodically once in a week, take the backup of crucial content, which is saved on the cloud.
  • On receiving a weblink through any means like email, check its legitimate by hovering the mouse around it.
  • Organizations should keep their machines OS, programs, and antivirus software up-to-date.
  • If known then, administrators can also improve the credential protection system in MS Windows.
  • Give warning to employees to avoid using unsigned macros or the macros from an untrusted source.
  • Warn employees not to execute any unknown document until-and-unless they are not sure about its accessing impact.

Observational Verdict

Pony Loader is one of the popular Cyberthreats for data breaches. An observation says that both the payloads of this malware are responsible for stealing credentials from multiple password authentication services. One edition of Pony Loader tries to fetch data from the cryptocurrency wallets and perform a brute-force attack with the same intention. Organizations are instructed to draw their attention toward social engineering tactics through threat actors and ignore the opening of suspicious messages and attachments.