Malspam campaign conveying malware / pswstealer Pony

On February 27, 2019 malspam campaign conveys the password stealer Pony
On Feb. 27, 2019, TG Soft's C.R.A.M. (Anti-Malware Research Center)  detected malspam campaign spreading Pony malware.
Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.

If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research)): How to send suspicious emails



Malspam campaigns "RE: Approved Purchase Order No. 4300023687 / NE-0520"

On February 27, there was a malspam campaign aimed at spreading Pony malware:

The emails sent have the subject:
  • "RE: Approved Purchase Order No. 4300023687 / NE-0520".

In the picture below we can see the first email with the subject: "RE: Approved Purchase Order No. 4300023687 / NE-0520".


Inside the email there is the attachment:
  • PO-4300023687.doc
File Name: PO-4300023687.doc
Size: 112.901 byte
MD5: B3FB25076890DB4B0903798D546B9265
VirIT: Trojan.RTF.Dropper.BIA
Back to top of page

Analysis of the file "PO-4300023687.doc"

The document "PO-4300023687.doc" is an RTF file that contains the vulnerability of CVE-2017-11882 which, once opened,  will execute, without any further operation by the victim, the program EQNEDT32.EXE (Equation Editor).

The opening of the document looks as in the picture:

The execution of the CVE-2017-11882 exploit, leveraging Equation Editor, involves downloading from http://www[.]enderezadoypinturaag[.]com/vfls/we.exe
of the malware payload named "fdgdfsdafgdfsd.exe" in the %appdata% folder.

Name: fdgdfsdafgdfsd.exe
Size: 695.808 byte
MD5: 6BD577D17A46550AB50FE6A913E6CA9A
Compilation date: 27/02/2019 - 02:01:17
VirIT: Trojan.Win32.Pony.BIA

Pony malware does not create any persistence within the computer and. after trying to retrieve the affected information and communicating with the Command and Control Server (C2) at the following url http://www[]iat-dz[.]com/papi/shit.php, it exploits the CMD.exe program to delete itself from the computer and leave no trace.
Within the process dump "fdgdfsdafgdfsd.exe" is the following url "http://www[]iat-dz[.]com/papi/gate.php".

The purpose of the password stealer "fdgdfsdafgdfsd.exe," belonging to the Pony family, is to steal access credentials to services (home banking), portals or software stored on our computer. Here we can see a list of affected software:
  • Far Manager
  • Total Commander
  • WS_FTP
  • CuteFTP
  • FileZilla
  • Bullet Proof FTP
  • TurboFTPSoftware
  • CoffeeCup Software
  • NCH Software
  • Opera
  • Firefox
  • SeaMonkey
  • Google Chrome
  • BlazeFtp
  • Windows Mail
  • Windows Live Mail
  • The Bat!
  • Outlook
  • Thunderbird
and many more:

It also contains the following password vocabulary:
123456 password phpbb qwerty 12345 jesus 12345678 1234 abc123 letmein test love 123 password1 hello monkey dragon trustno1 111111 iloveyou 1234567 shadow 123456789 christ sunshine master computer princess tigger football angel jesus1 123123 whatever freedom killer asdf soccer superman michael cheese internet joshua fuckyou blessed baseball starwars 000000 purple jordan faith summer ashley buster heaven pepper 7777777 hunter lovely andrew thomas angels charlie daniel 1111 jennifer single hannah qazwsx happy matrix pass aaaaaa 654321 amanda nothing ginger mother snoopy jessica welcome pokemon iloveyou1 11111 mustang helpme justin jasmine orange testing apple michelle peace secret 1 grace william iloveyou2 nicole 666666 muffin gateway fuckyou1 asshole hahaha poop blessing blahblah myspace1 matthew canada silver robert forever asdfgh rachel rainbow guitar peanut batman cookie bailey soccer1 mickey biteme hello1 eminem dakota samantha compaq diamond taylor forum john316 richard blink182 peaches cool flower scooter banana james asdfasdf victory london 123qwe 123321 startrek george winner maggie trinity online 123abc chicken junior chris passw0rd austin sparky admin merlin google friends hope shalom nintendo looking harley smokey 7777 joseph lucky digital a thunder spirit bandit enter anthony corvette hockey power benjamin iloveyou! 1q2w3e viper genesis knight qwerty1 creative foobar adidas rotimi slayer wisdom

In the picture below we can see graphically how the malware processes are executed from the opening of the infected document to the execution of the Pony's fdgdfsdafgdfsd.exe process:
Back to top of page





Back to top of page


How to identify a fake email 

Experience and common sense are the first weapons to avoid these kinds of scams.Careful reading of the email, in all its elements, is essential. Be wary of ZIP-formatted attachments and, if possible, DO NOT enable automatic macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening Word and Excel files will see the immediate execution of macros without any prior alert. In case you have been infected by a Banker, the advice from TG Soft's C.R.A.M. is to take appropriate security precautions even after the remediation of the system(s) involved, such as changing the most commonly used passwords on the Web. In case the workstation involved is used for home-banking transactions, an assessment with your credit institution is also recommended.  

How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts

Sending materials to TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
  1. Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
  2. Save  the e-mail to be sent to TG Soft's C.R.A.M.for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
All this is to help you by trying to prevent you from running into credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.
Back to top of page

Integrate your PC / SERVER protection with Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,

Vir.IT eXplorer Lite has the following special features::
  • freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
  • It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis  to update Vir.It eXplorer PRO;
  • through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and proceed to send the reported files to TG Soft's C.R.A.M.
  • Proceed to  download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website

For Vir.IT eXplorer PRO users...

For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS.


TG Soft's Anti-Malware Research Center

Back to top of page

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: