Threat Research

Pony | Fareit

Securonix

Pony (Fareit or Siplog) is a long-running loader/stealer malware that also functions as a botnet, used for information theft and to deploy other malware in victim infrastructures for over a decade. It spreads via phishing, compromised websites, and fake software downloads, with multiple variants and extensive anti-analysis and multi-stage execution techniques that rely on .NET components, persistence tricks, and modular payloads. hashtags: #Pony #TA505

Keypoints

  • Pony/Fareit is a loader and stealer with over 10 years of presence, continually updated and sold on underground channels, used for information theft and to enable other malware.
  • Typical delivery involves phishing in local-language messages or compromised web pages, sometimes via exploit kits or fake programs that install the loader directly.
  • Multiple threat groups have used Fareit/Pony, including Cobalt Group, Gold Evergreen (TA505/GracefulSpider), Gold Galleon, and Gold Essex (TA544/NarwhalSpider).
  • Core capabilities include data theft, persistence, and botnet functionality, with many variants sharing a core loader that injects into other processes and loads additional modules in memory.
  • Technical characteristics described include heavy use of .NET, anti-analysis/anti-VM techniques, process injections (including into .NET processes), and multi-stage loading with auxiliary files for persistence and startup.
  • Payload behavior involves extracting and loading binaries in memory, establishing C2 communication, and exfiltrating data from FTP, browsers, and other software; the operator can use legitimate websites and compromised panels as C2 endpoints.

MITRE Techniques

  • [T1059.005] VBScript – Brief description: Loader in VBS of pony executed via wscript. Quote: “Loader in VBS of pony executed via wscript”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Run Once – Brief description: Persistence using dropped files in temporary folders in diferent registry keys. Quote: “Persistence using dropped files in temporary folders in diferent registry keys”
  • [T1070.004] File Deletion – Brief description: Delete file using .BAT. Quote: “Delete file using .BAT”
  • [T1036] Masquerading – Brief description: Paths used to drop auxiliar files or copies of original binary. Quote: “Paths used to drop auxiliar files or copies of original binary”
  • [T1055.012] Process Injection – Brief description: Process injection into target processes (including .NET) to hide and extend capabilities. Quote: “Process injection”

Indicators of Compromise

  • [Hash] Payload/file hashes – 1a1dc33fae444afdd54f6f50dd47ed4b9f673fbc5595dad7b48e78cac0458465, 6a581c0c07ceb888ea418fccffd5efba33b9fd6561be1bcf90b0d6ba4deefd05, and 2 more hashes
  • [Registry Key] Persistence keys used for startup – HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionWindows Load, HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun, HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
  • [File/Path] Auxiliary and main payload deployment paths – (Path)C:UsersuserAppDataLocalTemp*.bat|.exe, (Path)C:UsersuserAppDataRoamingMicrosoft*.bat|.exe, (Path)C:UsersuserAppDataRoamingMicrosoftWindowsTemplates*.bat|.exe

Read more: https://rexorvc0.com/2024/02/04/Pony_Fareit/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint