Pony Loader is years-old data thief Trojan that was earlier used to spread Necurs and Zeus Trojans. But with update in technology, this threat also got advance. Today, this malware is exclusively being used for phishing campaigns, since the time crimeware source programming was available for sale in underground hacking forums. A research laboratory found 2 variants of this information theft malware that is – Gen:Variant.Midie.41711 and Gen:Variant.Injector.124.
The major source of spreading Pony Loader malware is through emails or email’s attachments. This threat designs attractive emails and documents name for forcing recipients to open that mail and download its infected file. Such attachments get automatically synchronized with services of the cloud storage that uses ‘file collaboration’ settings in common 3rd party apps or SaaS programs.
The research says that these suspected attachments comprise of .r11 and .ace extensions. Both these file formats are supported by traditional compression software like WinRAR. The compressed archived file with these extensions causes successful exploding of threat, just after the time when the victim executes the file. File decompression leads to spreading of malware in the PC causing an unexpected disaster on victim’s computer.
Both the variants of pony loader comprises of binaries within them, which are compacted and complied with MS Visual Basic. Both the payloads are equally responsible to steal account credentials from victim’s machine because of the multiple services for password authentication process like FTP browser and accounts. The availability of binary can be determined by a unique string i.e.,YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0. This string is presented in the memory when Pony Loader binary is in running state.
Well, the recent edition of the malware tried to fetch credentials from the 35 cryptocurrency wallets. To apply the brute-force attack in user accounts, Pony Loader malware comprises of 232 common password list.
Pony Loader is one of the popular Cyberthreats for data breaches. An observation says that both the payloads of this malware are responsible for stealing credentials from multiple password authentication services. One edition of Pony Loader tries to fetch data from the cryptocurrency wallets and perform a brute-force attack with the same intention. Organizations are instructed to draw their attention toward social engineering tactics through threat actors, and ignore opening of suspicious messages and attachments.