Pony Loader: A Big Threat That Now Steals Cryptocurrency Wallets

admin Cloud Security Expert - CloudCodes Software
  • August 10th, 2018

Pony Loader is years-old data thief Trojan that was earlier used to spread Necurs and Zeus Trojans. But with update in technology, this threat also got advance. Today, this malware is exclusively being used for phishing campaigns, since the time crimeware source programming was available for sale in underground hacking forums. A research laboratory found 2 variants of this information theft malware that is – Gen:Variant.Midie.41711 and Gen:Variant.Injector.124.

Phishing The Mail Attachments

The major source of spreading Pony Loader malware is through emails or email’s attachments. This threat designs attractive emails and documents name for forcing recipients to open that mail and download its infected file. Such attachments get automatically synchronized with services of the cloud storage that uses ‘file collaboration’ settings in common 3rd party apps or SaaS programs.

The research says that these suspected attachments comprise of .r11 and .ace extensions. Both these file formats are supported by traditional compression software like WinRAR. The compressed archived file with these extensions causes successful exploding of threat, just after the time when the victim executes the file. File decompression leads to spreading of malware in the PC causing an unexpected disaster on victim’s computer.

Depth Analysis of Pony Loader

Both the variants of pony loader comprises of binaries within them, which are compacted and complied with MS Visual Basic. Both the payloads are equally responsible to steal account credentials from victim’s machine because of the multiple services for password authentication process like FTP browser and accounts. The availability of binary can be determined by a unique string i.e.,YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0. This string is presented in the memory when Pony Loader binary is in running state.

Well, the recent edition of the malware tried to fetch credentials from the 35 cryptocurrency wallets. To apply the brute-force attack in user accounts, Pony Loader malware comprises of 232 common password list.

Preventive Measures To Be Safe From Pony Loader

  • Apply common account security policies:
    • Scan all file uploads from the remote devices to sanctioned cloud apps for malware
    • Scan all file uploads from unmanaged applications to sanctioned cloud apps for malware
    • Perform scanning on all the files downloaded from unsanctioned online apps for malware
    • Perform scanning on all the files downloaded from unsanctioned instances of the sanctioned apps for malware
    • Apply the actions like quarantine or block, immediately after malware detection. This will reduce the user impact
    • Block the unsanctioned instances of well-known online applications. This will limit attackers from breaking the customers trust in the cloud. It seems quite hard to implement and use but, it surely eliminates the risk of Pony Loader malware attack.
  • Activate the “View known file extensions” feature on PCs having Windows Operating system.
  • Enforce data loss prevention policies for controlling documents and information, covering inside as well as outside network.
  • Periodically once in a week, take backup of crucial content, which is saved on the cloud.
  • On receiving a weblink through any means like email, check its legitimate by hovering the mouse around it.
  • Organizations should keep their machines OS, programs, and antivirus software up-to-date.
  • If known then, administrators can also improve credential protection system in MS Windows.
  • Give warning to employees to avoid using unsigned macros or the macros from an untrusted source.
  • Warn employees not to execute any unknown document, until-and-unless they are not sure about its accessing impact.

Observational Verdict

Pony Loader is one of the popular Cyberthreats for data breaches. An observation says that both the payloads of this malware are responsible for stealing credentials from multiple password authentication services. One edition of Pony Loader tries to fetch data from the cryptocurrency wallets and perform a brute-force attack with the same intention. Organizations are instructed to draw their attention toward social engineering tactics through threat actors, and ignore opening of suspicious messages and attachments.