S0453 Pony
Pony is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.1
| Item | Value |
|---|---|
| ID | S0453 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 25 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Pony has used the NetUserEnum function to enumerate local accounts.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Pony has sent collected information to the C2 via HTTP POST request.1 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.001 | Password Guessing | Pony has used a small dictionary of common passwords against a collected list of local accounts.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Pony has used batch scripts to delete itself after execution.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Pony has used scripts to delete itself after execution.1 |
| enterprise | T1105 | Ingress Tool Transfer | Pony can download additional files onto the infected system.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Pony has used the Adobe Reader icon for the downloaded file to look more trustworthy.1 |
| enterprise | T1106 | Native API | Pony has used several Windows functions for various purposes.1 |
| enterprise | T1027 | Obfuscated Files or Information | Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Pony has been delivered via spearphishing attachments.1 |
| enterprise | T1566.002 | Spearphishing Link | Pony has been delivered via spearphishing emails which contained malicious links.1 |
| enterprise | T1082 | System Information Discovery | Pony has collected the Service Pack, language, and region information to send to the C2.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Pony has attempted to lure targets into clicking links in spoofed emails from legitimate banks.1 |
| enterprise | T1204.002 | Malicious File | Pony has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format).1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | Pony has delayed execution using a built-in function to avoid detection and analysis.1 |