Thursday, August 18, 2022

In Retrospective - A Peek Inside the Pony Loader Cybercrime-Friendly Malicious Software Release - An OSINT Analysis

I recently took a peek inside some of my old threat intelligence gathering research archives and I've decided to share with everyone some sample screenshots including an actual description from the extremely popular and high-profile back then Pony Loader malicious software release.

Enjoy!


Sample screenshots of the Pony Loader in action:















Sample description of the Pony Loader:

"Collection system FTP passwords "Pony"

Purpose and Objectives of the project

Collection of FTP passwords of 81 + popular FTP-client and Web-browser with the infected computers
Invisible to the user's application
The minimum size and time of the grabber on the infected computer

General information

The project is divided into three parts:
Client "Pony.exe" - a program that needs to be progruzhat on computers, it collects and sends passwords to the server.
Builder (PonyBuilder.exe) - a set of programs to create a build-client "Pony.exe". Build collected automatically by the compiler masm32, which is included in the kit.
A set of server-side PHP script - admin panel, as well as script-gate (gate.php) on which to send passwords.

In order to collect passwords used an unusual approach

When you run the client "Pony.exe" automatically collected passwords and data required to decrypt files in a special container called "reports" (reports), and then encrypted to the server, where they are processed. Each report can contain tens or even hundreds of passwords, as well as other supporting information.

In fact, "Pony.exe" does not contain any decryption algorithms, but only a simple function to read data files and the registry.

All work on deciphering the password takes on a Web server, it is not resource-intensive operation, because Most algorithms are trivial, the server spends on average less than 10 ms (0.01 seconds) to process the report with passwords.

Positive aspects of this approach:
The minimum size of the file progruzhat "Pony.exe"
The minimum time on the infected computer, on average, less than a second 1st
If an FTP client just updated the encryption algorithm, but also stores files with passwords as well as before, which is typical for the majority of popular FTP-client, there is no need to re-create and build progruzhat it, but only to make the appropriate modifications to the PHP script
No chance of a mistake in the algorithm decryption password and lose FTP, reports can be processed on the server again, after fixing a bug

Negative:
Requires a full-fledged Web server is configured to decrypt the password, with some specific requirements
Increased traffic to the server, this adds the ability to pack records

Requirements for the Web server

Apache / nginx
PHP 5.2 +
MySQL
Required extensions for PHP
zlib - Library for compression / decompression of data using deflate
libxml - library for fast processing of XML files
mysql - the extension to work with the MySQL database
mhash - with a library of hash algorithms (included in the main assembly PHP 5.3 +)
mcrypt - with a library of encryption algorithms
gmp - a mathematical library for working with large numbers
iconv, mbstring - extension for converting multibyte (UTF-8, ...) lines
gd - a graphics library that is used for plotting
curl - the extension to work with the network
pcre - a library of algorithms for working with regular expressions
json - JSON library for decoding strings
zip - Library for handling zip archives
Optional extension for PHP
sqlite3 - is required as the class (PHP 5.3 +), or as a driver PDO (PHP 5.2 +), or some decrypted passwords will not be

A set of server-side scripting is not tied to the root folder and can be moved anywhere you want. In the working folder, you must create the directory "temp" and give it a read, write and execute (chmod 777). Name the folder "temp" can be overridden in the configuration file "config.php".

Example of assembly PHP:
Configure Command '. / Configure' '- enable-mbstring = all' '- with-zlib' '- with-iconv' '- with-gd' '- with-curl' '- with-pcre -regex '' - with-gmp '' - with-mhash '' - with-mcrypt '' - with-mysql '' - with-libxml-dir '' - prefix = / opt / php ' '- with-sqlite3' '- with-freetype-dir' '- enable-gd-native-ttf' '- with-png-dir' '- with-jpeg-dir' '- enable- zip '.

The server side (admin panel)

Scope of supply:
The file "config.php" - contains the basic settings required for the performance of PHP scripts admin. Inside the file, you must register your MySQL server settings, choose a password to decrypt the report, specify the folder for temporary files.
The file "setup.php" - automatic installation script, you need to run the initial configuration of the admin panel, then you can remove it. This script creates the necessary tables MySQL, set the login and password. Before running the "setup.php" should set the parameters of MySQL server in the file "config.php". To repeat the automatic tuning of the panel, you must first remove all the tables with the prefix "pony_" from the database MySQL.
The file "gate.php" - script-gate, which receives reports from the password "Pony.exe".
The file "admin.php" - the main manager of the script admin panel.
The folder "temp" - the folder for temporary files and templates, Smarty, you must install the right to read, write and execute (chmod 777).
The folder "includes" - a set of supporting files.

Admin functions

Home - General information about the ongoing work of the server.
List of FTP - here you can download or clear the lists obtained by FTP / SFTP.
Others - you can download or clear the lists received certificates.
Statistics - current statistics on the data collected, it is necessary to take into account that the cleaning list FTP / reset the statistics report.
Domains - on this page, you can add a backup domain grabber for the operational test for accessibility.
Logs - here you can see a critical error and notification server.
Reports - Reports a list of current passwords.
Management - server settings, as well as account management.
Help - help file.
Exit - exit from the admin panel.

Differentiation of user admin

Members are divided into two types:
Administrator (admin) - can do everything: delete / add new users, change the server settings (password is encrypted reports), change the privileges / passwords of other users, clear the lists of passwords. The administrator can only be one.
User (user) - depending on the privileges can either just view the data (user_view_only), or view lists and clean FTP / SFTP / reports / logs (user_all). User can change your password. The user will not see the additional functionality that is available only administrator.

Additional information

Each received a report contains additional information:
OS - version of Windows.
IP - IP address of the sender.
HWID - a unique user ID does not change with time. In this ID can be found all the reports from a particular computer.
Privileges - with what rights (User / Admin) process was started "Pony.exe".
Architecture - x86/x64 architecture of a microprocessor, which was launched by the process of "Pony.exe".
Version - version of the client "Pony.exe".
Clear the list of reports and FTP / SFTP resets statistics (graphs and text data).
Identical reports with the passwords in the database are not imported when you receive a duplicate, the logs will be notified.
Import records with passwords through "gate.php" takes place in two stages:
The resulting report is imported into the database MySQL. Only when the import was successful in the database will return the gate positive response to the client "Pony.exe" to avoid sending passwords in the following (redundant) domains.
The report is processed (parsed), then found FTP added to the database, and report the status of prescribed "processed."
If the report has received the status "not processed" means either the server is overloaded (exceeded the maximum time the script), or parsing the script left with a critical error. In any case, the report will not be lost.
If the system used by several users, you must go under different accounts, otherwise it will always pop up login window.
After clearing the lists, the data in a MySQL database does not always physically removed (especially logs), so you should periodically run the optimization (compression) tables.
Optimization (compression), MySQL table is best carried out when there is heavy load on the database, ie client "Pony.exe" does not send passwords active.

Builder "PonyBuilder.exe"

Task Builder - Configure and compile the client "Pony.exe", to be progruzhat to infected computers.

Scope of supply:
Folder "masm32" - the compiler Microsoft Macro Assembler (MASM).
Folder "PonySrc" - the source code in MASM client program (grabber) "Pony.exe".
Folder "BuilderSrc" - the source code in Delphi 7 support program-Builder "PonyBuilder.exe".
The file "PonyBuilder.exe" - program-builder for the customer "Pony.exe".
The file "Help.txt" - help file.
The file "build.bat" - a script used by the builders build to compile from source "PonySrc".
The file "Pony.ico" - the icon is attached to the "Pony.exe" at compile time, if the builder select the corresponding option.

The interface is divided into four tabs:

Builder
The text box "list of domains to send passwords" - here you can set a list of URL gates to send passwords. Each line - a separate URL, for example: http://somedomain.com/dir/gate.php You can add an unlimited number of rows (URL), the same URL can be added multiple times. The domain may contain information about the port connection, for example: http://privatedomain.com:8080/gate.php. Https:// protocol is not currently supported.
"Pony.exe" will try to connect and send a report with the passwords on the list, if the data is successfully delivered, the program will exit immediately without attempting to connect to the rest of the URL.
The "Select icon" allows you to set the icon for the compiled file is only supported format *. Ico.
The "New Build" compile file "Pony.exe" to your settings.
Loader
A simple loader (boot files). After gathering passwords from these links (URL) will be loaded and run files. URL given in the same manner as the list of domains to send passwords. In the lower part of the tab you can specify the following options:
Activate the loader - the loader include work, otherwise the files will not load.
Do not run the same files twice - after the successful launch of the downloaded file into the registry will be added to the reference value (hash) of the data file, and then, when re-loading, a duplicate will not run.
Settings
To see all the settings, you need to activate the option "Show advanced settings" in the main menu.
Compress - compress reports using the library aPLib, adds about 5kb to the size of the executable file, packs a good text data before sending it, it is strongly recommended that you use greatly reduces the traffic to the server.
Encrypt - encryption algorithm reports RC4.
Encryption password - a password that is encrypted records, similar to the password must be installed in the server configuration.
Save reports to disk (for debugging) - when you start "Pony.exe", after the passwords have been collected in the same directory where the executable is running, it will create a file "out.bin", a container with a password in this form in which he was sent to the server for further processing (decoding).
Sending blank reports (for statistics) - usually, if no password is found, the client "Pony.exe" personal server will not send, but it is sometimes useful to include this option to get statistics on the number of successful launches "Pony.exe".
Debug mode - removes an interceptor exceptions, be used only for debugging purposes.
Send only new records - if this option is not activated, then the duplicate records with passwords are not sent.
Samoudalenie - running the file "Pony.exe" will be removed after the exit.
Add an icon - an icon to attach the selected file to be compiled.
Packing build with UPX - compress executable "Pony.exe" after compilation.
Number of attempts to send the report - how many times to try to send a report when an unsuccessful transmission, it is recommended to specify a minimum of two attempts.
Build Alternative:
Exe-file - normal executable Windows (*. Exe)
Dll-file - version of the assembly in the form. Dll libraries, it is completely autonomous, to practice you must call from your project API-only function LoadLibrary (), ie URL to send the password and all settings are sewed in myself. Dll file. In the folder DllTest is a simple example of testing, in the same folder to put the file Pony.dll, then run the file DllTest.exe, which in turn calls LoadLibrary () for. Dll library.
In the "Available Modules decoding" can be excluded from the build unneeded passwords decoder, it will reduce the size of the build.
Skin
On this tab, you can choose a favorite skin (skin) Builder.

Starting the Builder from the command line

The following command line arguments Builder:

-PACK_REPORT - compress reports
-ENCRYPT_REPORT - encrypt the records, if encryption password is not specified, the default will be listed "Mesoamerica"
-REPORT_PASSWORD = - password encryption, for example:-REPORT_PASSWORD = Mesoamerica
-SAVE_REPORT - save reports to disk (for debugging)
-ENABLE_DEBUG_MODE - debug mode
-SEND_MODIFIED_ONLY - send only the new records
-SELF_DELETE - enable samoudalenie
-SEND_EMPTY_REPORTS - send a blank report
-ADD_ICON - attach a file icon from Pony.ico
-UPX - Build pack using UPX
-DOMAIN_LIST = - list of domains, each domain must be divided by spec. the symbol \ n, for example:-DOMAIN_LIST = http://host.com/gate.php \ nhttp :/ / host2.com/x/gate.php
-LOADER_LIST = - a list of URL for the loader (it will be automatically activated in the presence of URL), each URL must be divided similarly DOMAIN_LIST
-LOADER_EXECUTE_NEW_FILES_ONLY - do not run the same files twice
-DISABLE_MODULE = - excluding specific module build decoding (all the names of the modules can be seen in the file PonySrc \ FTPClients.asm), for example:-DISABLE_MODULE = MODULE_OPERA
-DLL_MODE - use the assembly in the form of Dll-library
-COLLECT_HTTP - in addition to collect and HTTP / HTTPS passwords
-UPLOAD_RETRIES = N - the number (N) attempts to send a report if no value is specified, the default is 2 attempts

Client "Pony.exe"

The task of "Pony.exe" - to collect passwords from the computer and send them to the server for processing.

Works on all versions of Windows, from Win98, including server. It works in the mode of x86 and x64. The program normally work out when you run as an administrator or user.

Before the proliferation of file it is desirable to clean and kriptanut.

Implemented the instant decryption of stored passwords for the following programs:
System Info
FAR Manager
Total Commander
WS_FTP
CuteFTP
FlashFXP
FileZilla
FTP Commander
BulletProof FTP
SmartFTP
TurboFTP
FFFTP
CoffeeCup FTP / Sitemapper
CoreFTP
FTP Explorer
Frigate3 FTP
SecureFX
UltraFXP
FTPRush
WebSitePublisher
BitKinex
ExpanDrive
ClassicFTP
Fling
SoftX
Directory Opus
FreeFTP / DirectFTP
LeapFTP
WinSCP
32bit FTP
NetDrive
WebDrive
FTP Control
Opera
WiseFTP
FTP Voyager
Firefox
FireFTP
SeaMonkey
Flock
Mozilla
LeechFTP
Odin Secure FTP Expert
WinFTP
FTP Surfer
FTPGetter
ALFTP
Internet Explorer
Dreamweaver
DeluxeFTP
Google Chrome
Chromium / SRWare Iron
ChromePlus
Bromium (Yandex Chrome)
Nichrome
Comodo Dragon
RockMelt
K-Meleon
Epic
Staff-FTP
AceFTP
Global Downloader
FreshFTP
BlazeFTP
NETFile
GoFTP
3D-FTP
Easy FTP
Xftp
FTP Now
Robo-FTP
LinasFTP
Cyberduck
Putty
Notepad + +
CoffeeCup Visual Site Designer
FTPShell
FTPInfo
NexusFile
FastStone Browser
CoolNovo"
 

Stay tuned!

No comments:

Post a Comment