Blueliv
Blog & Resources

My Little Pony

One year ago our colleague Xylit0l wrote about the Pony stealer malware. It’s been a year and the Pony family has grown! Two malwares, at least, have been found in the wild with some parts of Pony included in them.

This is the case of Jolly Roger which is a malware that uses the same gate.php script with few modifications. Instead of saving the stolen information with all the details about the infected system in the database, Jolly Roger only saves the parsed credentials into the file system using the following functions.

Bot Information Storage

The following snipped shows how the Bot information is stored in disk:

Bot Information Storage

Credentials Storage

The following snipped shows how credentials are stored in different files:

Credentials Storage

Notice that using this approach, is not possible to trace the infection period nor the number of infected bots in order to perform an Information Forensics analysis. This is the content of the db/ directory:

Content of /db

Only few Bot information and credentials are saved, sad news, but… Hey! you have a cool control panel:

Jolly Roger Panel

As you can see, the panel is pretty similar to the SpyEye one:

SpyEye Panel

Good… we may call the Jolly Roger guy the Master of Copy&Paste! But wait, this is not the only one taking profit from the Pony Stealer malware, another similar case of code re-usage is found in a web panel called A1N3Y Recovery, the big guy – see pictures below – just used exactly the same code as Pony and added the following code in the admin.php web site code:

Customer Information

This is awesome, the big guy just took the code from the malware and added an expiration date in order to earn money renting the service during a long time. The admin.php script also checks if the user expired or not:

Customer Expiration

But, hey! Look at the following pictures of the panel, so cool right?

Login form

Ainey Login

Inside the control panel (with the big guy)

Ainey Panel

Actually, this panel with the big guy seems to be in the wild since 2013.

My little pony is getting older.