Skip to content

S0453 Pony

Pony is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.1

Item Value
ID S0453
Associated Names
Version 1.0
Created 21 May 2020
Last Modified 25 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Pony has used the NetUserEnum function to enumerate local accounts.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Pony has sent collected information to the C2 via HTTP POST request.1
enterprise T1110 Brute Force -
enterprise T1110.001 Password Guessing Pony has used a small dictionary of common passwords against a collected list of local accounts.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Pony has used batch scripts to delete itself after execution.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Pony has used scripts to delete itself after execution.1
enterprise T1105 Ingress Tool Transfer Pony can download additional files onto the infected system.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Pony has used the Adobe Reader icon for the downloaded file to look more trustworthy.1
enterprise T1106 Native API Pony has used several Windows functions for various purposes.1
enterprise T1027 Obfuscated Files or Information Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Pony has been delivered via spearphishing attachments.1
enterprise T1566.002 Spearphishing Link Pony has been delivered via spearphishing emails which contained malicious links.1
enterprise T1082 System Information Discovery Pony has collected the Service Pack, language, and region information to send to the C2.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Pony has attempted to lure targets into clicking links in spoofed emails from legitimate banks.1
enterprise T1204.002 Malicious File Pony has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format).1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion Pony has delayed execution using a built-in function to avoid detection and analysis.1