Pony (also known as Fareit or Siplog) is a malware categorized as a loader and stealer, although it is also used as a botnet, being a tool that has been used for more than 10 years and is still in use. This infamous malware continues to receive updates and can be purchased, and has been involved in information theft or used to launch other malwares during attacks on victim infrastructures.
Given that this malware has such a long history (yes, 10 years in cyber is a lot), the methods of use and execution of Pony have varied, as it has depended on who has used it, whether they are more or less organized groups. It has typically been seen in phishing campaigns where a typical message in the language of the targeted country was introduced, simulating some kind of urgency, or alternatively, attacked web pages have been seen where download links have been replaced by a Fareit loader or directly the execution of it. Pony has also been notorious in exploit kits or in fake programs where trying to download the free version of something would gift you with a malware disguised as a small horse.
Pony has been seen used by various groups, usually related to crime, whose general objective is usually to obtain money, and whose functionality of stealing data, persisting, and also the possibility of being used as a bot, is tremendously useful. Obviously, most cases of the use of this type of tool cannot be associated with groups, and years ago the code of Pony versions was leaked, which increased its use both in organized and less organized groups. However, when incidents are observed in which an actor interacts with tools typical of a group or with a characteristic kill chain with methodologies that have been used before, it helps us to place these tools also in their use in more organized groups. Therefore, the groups of this type that have been seen using Fareit are as follows:
- Cobalt Group ( 🇷🇺 )
- Gold Evergreen | TA505 | GracefulSpider ( 🇷🇺 )
- Gold Galleon ( Suspected 🇳🇬 )
- Gold Essex | TA544 | NarwhalSpider ( 🏴 )
SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT, as its uses can be diverse depending on the attacker, making it a versatile tool for Threat Actors. Active since 2018, it has gained significant popularity, finding a warm reception in underground markets where it can be purchased, and its interest has not waned. Incidents involving its usage are recorded annually.
Coroxy achieves execution on target systems through various methods, depending on the group using it. Recorded attacks have involved reconnaissance phases, lateral movement, and the deployment of SystemBC, often complemented with CobaltStrike. In other cases, it has been employed in campaigns through Spear-Phishing, where it is delivered and installed on the victim’s system via loaders or other malware. While the malware’s methodology has evolved, its core functionality remains consistent. In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker. This provides a backdoor for the attacker to operate from their infrastructure.
As mentioned earlier, numerous groups have been associated with the use of SystemBC over the years. These groups, with many linked to ransomware activities, include:
- TropicalScoprious (CUBA)
- RiddleSpider (Avaddon)
- WizardSpider (Conti, Ryuk)
- Maze Team (Maze & IcedID)
LaplasClipper (Laplas Clipper also known as Laplace Clipper) is a well-known malware that operates as a crypto clipboard hijacker. It has been in use since 2022. This malware can be purchased from its portal for as low as $49, with payment structured as a monthly subscription. LaplasClipper has been employed by various criminal threat actors to steal cryptocurrencies.
This malware gains access to devices through various methods. It has been observed being distributed through YouTube video links or compromised websites, as well as links to files containing LaplasClipper loaders. It has also been delivered via spear-phishing campaigns. In recent versions of the malware, it establishes persistence in registries and injects itself into files it creates to gain an advantageous position. From there, it monitors the clipboard, waiting for cryptocurrency wallet-related information to be added. It modifies this information to hijack the cryptocurrencies to the attacker’s server.
As I said, Laplas has been involved in several executions related to other malware or loaders, some of them, which are related to active groups, are the following:
- RedLine Stealer
AveMariaRAT, also known as WarZoneRAT, is one of the most famous and widely used RATs in recent years. It can be purchased with a license and monthly subscriptions ranging from $16 to $38 on its website. This tool is used and modified by various groups, ranging from disorganized or resource-limited individuals known as script kiddies to highly relevant criminal groups or APTs.
Some of the notable groups that have been observed using AveMariaRAT include:
- Tomiris ( 🏴 )
- Carbanak | Anunak ( 🇺🇦 )
- Aggah ( 🏴 )
- BlindEagle | APT-C-36 ( 🇨🇴 )
- Confucious ( 🇮🇳 )
- SideWinder ( 🇮🇳 )
- HazyTiger | Bitter ( 🇮🇳 )
- FIN7 ( 🏴 )
- SandWorm Team | Voodo Bear ( 🇷🇺 )
- Kasablanka ( 🏴 )
This malware, used by the mentioned groups, can infiltrate the infrastructure in various ways, from exploiting Spear-Phishing to compromising websites where it is downloaded. Once on our devices, the RAT has capabilities to escalate privileges, bypass UAC, evade defenses like security software, gather sensitive information from the device and user, and inject itself into processes to maintain active communication with the C&C server operated by the attacker
_Inside Look: Evolution of Spear-Phishing Techniques of Notorious Threat Groups
In recent years, different campaigns and threats have been developing, whose entry vector has been the same: email. This initial access always seems the most absurd and unworthy of attention because companies have properly trained their employees. However, the trend tells us the opposite. Many criminal groups and APTs continue to use this technique, varying or evolving it, leaving the most vulnerable element, human error, in doubt.
Phishing (T1566), a social engineering technique used as initial access (TA0001) since the mid-90s, is nothing more than a tool to deceive the victim into providing confidential information. Attackers disguise fraudulent emails with messages that appear familiar to the victim and are difficult (in most cases) to distinguish at a glance from the legitimate ones they are trying to emulate.
Along with this technique, we have spear-phishing, which has different sub-techniques (T1566.001, T1566.002, T1566.003). It uses fraudulent emails to entice the victim to click on a link, open an attachment, etc.
AZORult is one of the best known malware within the Stealer family. It is usually sold on Russian forums for prices ranging up to $100. This malware has been used by a large number of important threat actors, including some dedicated to crime such as FIN11 or TA505 (GracefulSpider) or others that are part of a state-sponsored model such as GorgonGroup from Pakistan.
This malware usually starts from an initial point as documents via Spear-Phishing or compromised web pages and is characterized by performing different file drops that later will execute and check the connection to the C&C, after this, it will steal information and create persistence or a backdoor to, before performing the exfiltration of the data, have opportunities to persist in the system and thus, the actor continue obtaining information from the system to which the affected computer belongs and sometimes pivot.
RecordBreaker or RacoonStealerV2 is the new version of the stealer Racoon that we can buy as malware-as-a-service at the black markets under $300. Widely used in mass campaigns or used by criminal groups where they try to infect repositories or attach this malware usually compressed in ZIP/RAR format. Its main objective is to reach the largest number of victims and contains different phases including process injection, binary downloading and information theft.
SmokeLoader is a malware that generally acts as a backdoor and is commonly used as a loader for other malware. Attributed to the criminal group Smoky Spider, a group that uses SmokeLoader and Sasfis, loader and downloader respectively. SmokeLoader has been used as a bot in infrastructures and contains strong evasion capabilities as well as Anti-Analysis, Anti-VM and Anti-DBG techniques.
Tofsee is a malware used for mass campaigns, which does not have an associated group or actor. It has gone through different phases, but has generally been used to create Botnets or SpamBots, as well as mining actions. The starting point of Tofsee is usually a Loader or an email using the SpearPhishing technique that will launch the malware. It has been in all its stages a really worked malware, with code obfuscations, packaged samples, anti-analysis techniques, which led to a backdoor to perform minings taking advantage of the botnet features or to perform Spam.
_Machete Weapons: Lokibot
Machete is a group that currently has no associated country, but it is believed that its origin or part of it belongs to Spanish-speaking countries. This group began operating in 2010 and this year has had a major impact in many countries, being particular in this area, as it attacks a large number of them, with an emphasis on Latin America, Spain and Russia.
Being their main targets defense departments, government entities and companies dedicated to energy and telecommunications, they gain initial access using the social engineering distribution method, with a great eagerness for Spear-Phishing emails, although they have also been seen exploiting vulnerabilities, once they have gained access, the phases vary depending on the malware they use, but the main objective is to generate persistence, open connections outside creating a secure channel and steal information from the victim that will exfiltrate through the previously created channel.