Rewterz Threat Alert – Pony Loader Malware Targets Users in China

Wednesday, September 11, 2019

Severity

Medium

Analysis Summary

A new Pony Loader campaign that targets potential visitors of the Canton Fair based in Guangzhou, China. The initial infection sources from the following email:

image-1568197756.png

This email contains a compressed .ZIP archive named “ORDER LIST PROPOSAL-REQUEST FOR QUOTATION.zip” that, when decompressed, contains “ORDER LIST PROPOSAL-REQUEST FOR QUOTATION.exe”. This executable is the Pony Loader malware, a common password stealing Trojan that started in 2011 and still continues to operate today.

Impact

Credential theft

Indicators of Compromise

URLs

  • acousticallysound[.]com[.]au
  • http[:]//acousticallysound[.]com[.]au/include/shit[.]exe
  • http[:]//acousticallysound[.]com[.]au/include/gate[.]ph

Filename

  • ORDER LIST PROPOSAL-REQUEST FOR QUOTATION.exe

Malware Hash (MD5/SHA1/SH256)

  • 0963948E091CB139A49EF88B9E61AFD7
  • f2efcdb60c57c42c1e4e23e39d17eaa1

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 17, September 2019 Rewterz Threat Alert – Emotet Revival with Spam Emails Around the World
  • 17, September 2019 Rewterz Threat Advisory – CVE-2016-1409 – Cisco Products IPv6 Neighbor Discovery Crafted Packet Vulnerability
  • 17, September 2019 Rewterz Threat Alert – Phishing Attack Targets The Guardian’s Whistleblowing Site
  • 16, September 2019 Rewterz Threat Alert – InnfiRAT Malware Steals Litecoin And Bitcoin Wallet Information

Copyright © Rewterz. All rights reserved.