Pony | Fareit

_Overview

Pony (also known as Fareit or Siplog) is a malware categorized as a loader and stealer, although it is also used as a botnet, being a tool that has been used for more than 10 years and is still in use. This infamous malware continues to receive updates and can be purchased, and has been involved in information theft or used to launch other malwares during attacks on victim infrastructures.

Given that this malware has such a long history (yes, 10 years in cyber is a lot), the methods of use and execution of Pony have varied, as it has depended on who has used it, whether they are more or less organized groups. It has typically been seen in phishing campaigns where a typical message in the language of the targeted country was introduced, simulating some kind of urgency, or alternatively, attacked web pages have been seen where download links have been replaced by a Fareit loader or directly the execution of it. Pony has also been notorious in exploit kits or in fake programs where trying to download the free version of something would gift you with a malware disguised as a small horse.

Pony has been seen used by various groups, usually related to crime, whose general objective is usually to obtain money, and whose functionality of stealing data, persisting, and also the possibility of being used as a bot, is tremendously useful. Obviously, most cases of the use of this type of tool cannot be associated with groups, and years ago the code of Pony versions was leaked, which increased its use both in organized and less organized groups. However, when incidents are observed in which an actor interacts with tools typical of a group or with a characteristic kill chain with methodologies that have been used before, it helps us to place these tools also in their use in more organized groups. Therefore, the groups of this type that have been seen using Fareit are as follows:

  • Cobalt Group ( 🇷🇺 )
  • Gold Evergreen | TA505 | GracefulSpider ( 🇷🇺 )
  • Gold Galleon ( Suspected 🇳🇬 )
  • Gold Essex | TA544 | NarwhalSpider ( 🏴 )

_Technical Analysis

As I mentioned earlier, actors who normally use Pony can launch it in various ways, with the aim of having the loader or the file downloaded with more or less intent. The next step will depend on the origin, with a document launching a preliminary version or a ZIP/RAR containing a supposed software or important document that we have downloaded. After this, except for some versions that use scripts to launch Pony, we will have the main execution of the malware. As usual, there are different versions coexisting that in their core are practically the same, but hide peculiarities that change the execution approach and, of course, the understanding and detection of the malware.

In this graph, I try to depict the synthesis of most of the functionalities of Pony that I found months ago:

0

As I mentioned, I have launched and analyzed a large number of different samples, and I’ll leave you some examples of how their execution would look like here, representing the most typical ones. In most samples, they make changes to network registries to have smooth communication with suspicious domains or to prevent the system from alerting about any unusual communication or traffic that would be denied by default

image

image

Getting into the specifics, the first thing we can see is directly how information is obtained from the system, or conversely, how auxiliary files or copies of the main file are started in other paths

image

image

image

On occasions, I have encountered samples that focus heavily on what some RATs do, which I have seen many times, which is the abuse of legitimate .NET tools where they inject or load modules into them to remain hidden. (This time, you might want to enjoy playing The Witcher, and you’d encounter an interesting problem)

image

When launching auxiliary files or copies of the main file, it usually deletes the original file by running a .BAT, which in most cases, if not all, is identical:

image

When we take a closer look at the samples, most of them are usually .NET, although I have encountered other compilers, packed versions, but the one that abounds is usually .NET. What we usually see is how it handles large strings, which is usually another binary

image

Basically, what it does is pass it through a function to extract the binary.

image

image

image

A representative chart of everything together would be the following:

image

As you can see, I’ve called it “Load Module”, initially, I thought it performed several concatenated injections, something I’ve seen before. In this case, it’s interesting because what it extracts in memory, as you can see, has Anti-Analysis techniques, potential for injection (we see Unmap, so we can guess it will do ProcessHollow), and more functions

image

image

This module, once it is already loaded (S is the secondary), we can see it in the main (with socru being the main).

image

image

image

In the end, the module is another .NET that will be hosted within the main one and will expand the functionalities of the first. These techniques are ultimately used to not be able to understand the intentions of the initial sample and to make detection more difficult

image

image

In some other samples, it practically does the same work to extract it, but the module is more or less obfuscated, but the functionality does not change. I was really lucky because the first samples I analyzed were not obfuscated, which later helps you understand the functionality of the samples and have a more discerning eye.

An example of these obfuscated samples that ultimately do the same thing:

image

image

image

image

_Loaded Module

This module, which is actually running after the first one, means that we don’t see the original binary spawning anything at first glance; we only see it working

image

After this, it starts creating folders to launch the subsequent files that we have seen before. We will see them in more detail later, but the one with less weight (12KB) is an auxiliary file that only takes care of persistence and searching for the base file to restart execution, which in this case is the one with more weight (304KB), which is nothing more than an identical copy of the file we initially downloaded

image

image

image

As I mentioned earlier, it has various basic Anti-Sandbox and Anti-VM techniques, which ultimately involve making requests to know the video controller we have. If we are emulating a machine, they will typically have strings from VirtualBox or VMWARE. In the other case, it involves capturing running processes and seeing if any of them are related to tools it doesn’t like, which is quite common

image

image

image

image

image

The summary of these would be as follows:

image

Continuing with the thread, we would see how it copies itself. This doesn’t always happen because, as I mentioned earlier, sometimes it uses direct loading or injection onto .NET processes (like the one we saw before with The Witcher)

image

image

image

After this, it has a copy of itself and has increased its capabilities, but the next step is to perform an injection on itself. Here we see that it has different options, which in our case leads to self-injection, as it searches for “Filename” but has the ability to inject into other .NET-related processes

image

Examples of posible .NET-related process:

vbc.exe
AppLaunch.exe
MSBuild.exe
installutil.exe
regasm.exe
aspnet_compiler.exe
regsvcs.exe

As we suspected earlier, it performs Process Hollowing since it has the ability to remove data from the target process, reserve space in it, and insert code

image

In the end, what we see is how it resolves the header and suspends a process, in this case, itself, in another thread to inject the code. As we can see, it has imports related to UPX, but we’ll see this later

image

image

image

image

The summary of all this work is shown in another graph:

image

When it performs the injection, it launches the auxiliary file I mentioned earlier, which supports it, and kills the main process. Also, here it executes the .BAT in some samples for self-deletion

image

image

_Aux file

In this auxiliary file, as I mentioned, it takes care of persistence and restarting execution, so it will simply be a file that will be in charge of restarting the whole cycle again, executing the copy that it will have launched in some folder, restarting the module loading, the injection, and so on, so we see how it executes it.

image

image

And how it creates persistence from this auxiliary file

image

image

image

Depending on the samples, persistence is carried out in one key or another, and it also depends on some occasions on the module loaded into memory, as it already has the ability to persist because it does not have an auxiliary file. So, the summary is as follows:

image

Here I have tried to go step by step from when I take a first sample and develop all its functionality in order, but we are missing a step because the thread has followed this logic:

.
├ (Parentprc) Principal binary < DONE
├ (Parentprc) (Load in runtime) Load new module < DONE
├ (Parentprc) New capabilities at ppal binary < DONE
|————├ (Childprc) (Injected) Injection of new code (?)


_Payload

We had mentioned that it injects new code, but during the analysis, we had not been able to look at this, so when extracted manually, we obtain a sample in UPX.

image

Once the unpack is done (well unpack, it pains me to consider UPX as a packer out of respect for true geniuses I have been lucky enough to know who have collaborated on packers that are works of art, but in practice it is a packer :D ). This code is responsible for establishing communication with the C&C. It has interesting modules to handle users, establish communication, or also write files. So, in the end, the attacker can launch more malware from outside or have quite extensive control with a network channel

image

image

image

Here we find countless references to FTP, search engines, email, etc. That we will see it obtains during runtime once the injection has been done.

image

image

image

Also, in some samples, we find directly the URL with which it will establish communication, which will also be the Pony portal

image

Unfortunately, the panel in the samples I was looking at was already down. It’s quite curious because, as I mentioned at the beginning, more than half of the samples referenced legitimate company websites that had been exploited and had their Pony panel inserted. This is a fairly high percentage, and I found it curious because I also found companies that had experienced this situation and had open directories. Anyway, for your reference, here’s how the login panel usually looks, maintaining the same structure:

<ip/domain>*/gate.php|admin.php

image

In the end, what we see is how it makes requests via registry or files to a large number of software that it will later exfiltrate.

image

image

The summary graph of several samples is as follows:

image

More or less usually steals similar things, FTP, tools related with passw, browsers, and so on.This is usually done either by looking in the configuration files of the softwares or by looking in the registry as I said before. Here’s a list of what most closely matched the samples I have seen

Windows commander
TotalCommander
LeapWare
Martin Prikryl / WinSCP
NetDrive
WS_FTP
CuteFTP
QCToolbar
FlashFXP
Filezilla
Bullet Proof FTP
SmartFTP
TurboFTP
FFFTP
COREFTP
VanDyke SecureFX
FTP Rush
BitKinex
ExpanDrive
ClassicFTP
LeapFTP
LeechFTP
NovaFTP
FlashFXP
WS_FTP

Opera
Mozilla
Chrome

AceBIT
RhinoSoft

Windows Live Mail
PocoMail
BatMail

I have reached the point of injecting the payload in different samples, but to no one’s surprise, it was quite similar in terms of loaded functions, strings (there are many more in one, but it’s due to the extraction), in short, the core of the payload was very similar in all of them.

image

This can also be seen more simply when it injects into .NET processes

image

image

image

_Summary

As I mentioned, there are various samples, but most of them rely on an auxiliary file to maintain persistence, whose path tends to change quite a bit and serves as a loader for a copy of the main binary that will be launched in some location, which is also variable. At this point, it usually loads another module, either into itself, into another file, or into one related to .NET, which serves to increase capabilities and then perform injection at runtime. After this, it establishes communication after stealing data from different software, as well as basic system and/or user information. It is quite common in the use of Pony that the target websites where it communicates are websites that have been previously exploited due to poor security management, so it also helps in its concealment that it actually communicates with a school or university website (Yes, I’ve seen them in Pony too). The downside of this is that the paths established by the attacker where the panel is installed tend to fall quite quickly, making it difficult to pivot and store IOCs because they are very variable and often related to legitimate websites

_Outro

I also checked in underground markets and forums, and it’s interesting that there are quite old posts where it is promoted a bit and how people are still in that thread asking for certain functionalities or software expansions

image

image

image

Finally, I would like to thank you for reading this analysis and for supporting me :)


_Detection Oportunities

Execution

  • [TA0002][T1059.005] Loader in VBS of pony executed via wscript
(Command)*WScript.exe*\AppData\Local\Temp\*\*.vbs

Persistence

  • [TA0003][T1547.001] Persistence using dropped files in temporary folders in diferent registry keys
(Registry) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Load  
(Registry) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
(Registry) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Defense Evasion

  • [TA0005][T1070.004] Delete file using .BAT
(Command)cmd.exe /c*C:\Users\user\AppData\Local\Temp\*.bat*csc.exe*
  • [TA0005][T1036] Paths used to drop auxiliar files or copies of original binary
(Path)C:\Users\user\AppData\Local\Temp\*.bat|.exe

(Path)C:\Users\user\AppData\Roaming\Microsoft\*.bat|.exe

(Path)C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\*.bat|.exe
  • [TA0005][T1055.012] Process injection
From file in temporary folder > injection > csc/MSBuild 

From file in temporary folder > injection > Other unidentified file in same temporary path

_IOC

1a1dc33fae444afdd54f6f50dd47ed4b9f673fbc5595dad7b48e78cac0458465
6a581c0c07ceb888ea418fccffd5efba33b9fd6561be1bcf90b0d6ba4deefd05
442b8223413bc9b08a5983da23c5964839b1551ab4a84759d94dc5c9a228eacc 
0db43ad0ab0735bf0b84fb780e5e075b0c61c8e884d678430c2324d692afae4b
3887d3d133504bb41d03e8fd96539c38c3accaf5aa97f2948599a473800d0bef
C1be3c17f856344daf7ab2ad08074e94145f371698f52bc93b5dde4030c53f62 
F3c2d287c23bc90e0185b416d9e3d0469f4c4eaa21aecd1835061f3677bee67f 
C61AF2853F0E94D65ECA09CEA4E00DE29A10F03518B0729E859739FD4FFFD08D
e9772b945a731b447725680b8ef8b8252c2bb19931005718a8711ae527d532ba
63c825619e3cff8843b7ef1d81b493fa1addc20c548ac98010acc6afd254351a
All rights reserved
⬆︎TOP