Pony (also known as Fareit or Siplog) is a malware categorized as a loader and stealer, although it is also used as a botnet, being a tool that has been used for more than 10 years and is still in use. This infamous malware continues to receive updates and can be purchased, and has been involved in information theft or used to launch other malwares during attacks on victim infrastructures.
Given that this malware has such a long history (yes, 10 years in cyber is a lot), the methods of use and execution of Pony have varied, as it has depended on who has used it, whether they are more or less organized groups. It has typically been seen in phishing campaigns where a typical message in the language of the targeted country was introduced, simulating some kind of urgency, or alternatively, attacked web pages have been seen where download links have been replaced by a Fareit loader or directly the execution of it. Pony has also been notorious in exploit kits or in fake programs where trying to download the free version of something would gift you with a malware disguised as a small horse.
Pony has been seen used by various groups, usually related to crime, whose general objective is usually to obtain money, and whose functionality of stealing data, persisting, and also the possibility of being used as a bot, is tremendously useful. Obviously, most cases of the use of this type of tool cannot be associated with groups, and years ago the code of Pony versions was leaked, which increased its use both in organized and less organized groups. However, when incidents are observed in which an actor interacts with tools typical of a group or with a characteristic kill chain with methodologies that have been used before, it helps us to place these tools also in their use in more organized groups. Therefore, the groups of this type that have been seen using Fareit are as follows:
- Cobalt Group ( 🇷🇺 )
- Gold Evergreen | TA505 | GracefulSpider ( 🇷🇺 )
- Gold Galleon ( Suspected 🇳🇬 )
- Gold Essex | TA544 | NarwhalSpider ( 🏴 )
As I mentioned earlier, actors who normally use Pony can launch it in various ways, with the aim of having the loader or the file downloaded with more or less intent. The next step will depend on the origin, with a document launching a preliminary version or a ZIP/RAR containing a supposed software or important document that we have downloaded. After this, except for some versions that use scripts to launch Pony, we will have the main execution of the malware. As usual, there are different versions coexisting that in their core are practically the same, but hide peculiarities that change the execution approach and, of course, the understanding and detection of the malware.
In this graph, I try to depict the synthesis of most of the functionalities of Pony that I found months ago:
As I mentioned, I have launched and analyzed a large number of different samples, and I’ll leave you some examples of how their execution would look like here, representing the most typical ones. In most samples, they make changes to network registries to have smooth communication with suspicious domains or to prevent the system from alerting about any unusual communication or traffic that would be denied by default
Getting into the specifics, the first thing we can see is directly how information is obtained from the system, or conversely, how auxiliary files or copies of the main file are started in other paths
On occasions, I have encountered samples that focus heavily on what some RATs do, which I have seen many times, which is the abuse of legitimate .NET tools where they inject or load modules into them to remain hidden. (This time, you might want to enjoy playing The Witcher, and you’d encounter an interesting problem)
When launching auxiliary files or copies of the main file, it usually deletes the original file by running a .BAT, which in most cases, if not all, is identical:
When we take a closer look at the samples, most of them are usually .NET, although I have encountered other compilers, packed versions, but the one that abounds is usually .NET. What we usually see is how it handles large strings, which is usually another binary
Basically, what it does is pass it through a function to extract the binary.
A representative chart of everything together would be the following:
As you can see, I’ve called it “Load Module”, initially, I thought it performed several concatenated injections, something I’ve seen before. In this case, it’s interesting because what it extracts in memory, as you can see, has Anti-Analysis techniques, potential for injection (we see Unmap, so we can guess it will do ProcessHollow), and more functions
This module, once it is already loaded (S is the secondary), we can see it in the main (with socru being the main).
In the end, the module is another .NET that will be hosted within the main one and will expand the functionalities of the first. These techniques are ultimately used to not be able to understand the intentions of the initial sample and to make detection more difficult
In some other samples, it practically does the same work to extract it, but the module is more or less obfuscated, but the functionality does not change. I was really lucky because the first samples I analyzed were not obfuscated, which later helps you understand the functionality of the samples and have a more discerning eye.
An example of these obfuscated samples that ultimately do the same thing:
This module, which is actually running after the first one, means that we don’t see the original binary spawning anything at first glance; we only see it working
After this, it starts creating folders to launch the subsequent files that we have seen before. We will see them in more detail later, but the one with less weight (12KB) is an auxiliary file that only takes care of persistence and searching for the base file to restart execution, which in this case is the one with more weight (304KB), which is nothing more than an identical copy of the file we initially downloaded
As I mentioned earlier, it has various basic Anti-Sandbox and Anti-VM techniques, which ultimately involve making requests to know the video controller we have. If we are emulating a machine, they will typically have strings from VirtualBox or VMWARE. In the other case, it involves capturing running processes and seeing if any of them are related to tools it doesn’t like, which is quite common
The summary of these would be as follows:
Continuing with the thread, we would see how it copies itself. This doesn’t always happen because, as I mentioned earlier, sometimes it uses direct loading or injection onto .NET processes (like the one we saw before with The Witcher)
After this, it has a copy of itself and has increased its capabilities, but the next step is to perform an injection on itself. Here we see that it has different options, which in our case leads to self-injection, as it searches for “Filename” but has the ability to inject into other .NET-related processes
Examples of posible .NET-related process:
As we suspected earlier, it performs Process Hollowing since it has the ability to remove data from the target process, reserve space in it, and insert code
In the end, what we see is how it resolves the header and suspends a process, in this case, itself, in another thread to inject the code. As we can see, it has imports related to UPX, but we’ll see this later
The summary of all this work is shown in another graph:
When it performs the injection, it launches the auxiliary file I mentioned earlier, which supports it, and kills the main process. Also, here it executes the .BAT in some samples for self-deletion
In this auxiliary file, as I mentioned, it takes care of persistence and restarting execution, so it will simply be a file that will be in charge of restarting the whole cycle again, executing the copy that it will have launched in some folder, restarting the module loading, the injection, and so on, so we see how it executes it.
And how it creates persistence from this auxiliary file
Depending on the samples, persistence is carried out in one key or another, and it also depends on some occasions on the module loaded into memory, as it already has the ability to persist because it does not have an auxiliary file. So, the summary is as follows:
Here I have tried to go step by step from when I take a first sample and develop all its functionality in order, but we are missing a step because the thread has followed this logic:
├ (Parentprc) Principal binary < DONE
├ (Parentprc) (Load in runtime) Load new module < DONE
├ (Parentprc) New capabilities at ppal binary < DONE
|————├ (Childprc) (Injected) Injection of new code (?)
We had mentioned that it injects new code, but during the analysis, we had not been able to look at this, so when extracted manually, we obtain a sample in UPX.
Once the unpack is done (well unpack, it pains me to consider UPX as a packer out of respect for true geniuses I have been lucky enough to know who have collaborated on packers that are works of art, but in practice it is a packer 😀 ). This code is responsible for establishing communication with the C&C. It has interesting modules to handle users, establish communication, or also write files. So, in the end, the attacker can launch more malware from outside or have quite extensive control with a network channel
Here we find countless references to FTP, search engines, email, etc. That we will see it obtains during runtime once the injection has been done.
Also, in some samples, we find directly the URL with which it will establish communication, which will also be the Pony portal
Unfortunately, the panel in the samples I was looking at was already down. It’s quite curious because, as I mentioned at the beginning, more than half of the samples referenced legitimate company websites that had been exploited and had their Pony panel inserted. This is a fairly high percentage, and I found it curious because I also found companies that had experienced this situation and had open directories. Anyway, for your reference, here’s how the login panel usually looks, maintaining the same structure:
In the end, what we see is how it makes requests via registry or files to a large number of software that it will later exfiltrate.
The summary graph of several samples is as follows:
More or less usually steals similar things, FTP, tools related with passw, browsers, and so on.This is usually done either by looking in the configuration files of the softwares or by looking in the registry as I said before. Here’s a list of what most closely matched the samples I have seen
Martin Prikryl / WinSCP
Bullet Proof FTP
Windows Live Mail
I have reached the point of injecting the payload in different samples, but to no one’s surprise, it was quite similar in terms of loaded functions, strings (there are many more in one, but it’s due to the extraction), in short, the core of the payload was very similar in all of them.
This can also be seen more simply when it injects into .NET processes
As I mentioned, there are various samples, but most of them rely on an auxiliary file to maintain persistence, whose path tends to change quite a bit and serves as a loader for a copy of the main binary that will be launched in some location, which is also variable. At this point, it usually loads another module, either into itself, into another file, or into one related to .NET, which serves to increase capabilities and then perform injection at runtime. After this, it establishes communication after stealing data from different software, as well as basic system and/or user information. It is quite common in the use of Pony that the target websites where it communicates are websites that have been previously exploited due to poor security management, so it also helps in its concealment that it actually communicates with a school or university website (Yes, I’ve seen them in Pony too). The downside of this is that the paths established by the attacker where the panel is installed tend to fall quite quickly, making it difficult to pivot and store IOCs because they are very variable and often related to legitimate websites
I also checked in underground markets and forums, and it’s interesting that there are quite old posts where it is promoted a bit and how people are still in that thread asking for certain functionalities or software expansions
Finally, I would like to thank you for reading this analysis and for supporting me 🙂
- [TA0002][T1059.005] Loader in VBS of pony executed via wscript
- [TA0003][T1547.001] Persistence using dropped files in temporary folders in diferent registry keys
(Registry) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Load
- [TA0005][T1070.004] Delete file using .BAT
- [TA0005][T1036] Paths used to drop auxiliar files or copies of original binary
- [TA0005][T1055.012] Process injection
From file in temporary folder > injection > csc/MSBuild
From file in temporary folder > injection > Other unidentified file in same temporary path