Figure 4 Information about the sample from PE Studio Only one library is imported: kernel32.dll, but the file’s strings include contact.dll – which is not imported – and cmd.exe, which is not commonly used in normal sales products. Indeed, both the copyright, which includes the word “pseudogynous” and the product name, “rifeness,” look very strange. The file description, strings and imported libraries do not give us additional information and leave us in the dark.
The purpose of the malware’s file name – Purchase.exe – is quite clear: it makes the user think it is related to sales.
NewFile = open( "unpacked_bin.exe", "wb")įigure 3 Python script used to decrypt the resources ResString = "" with open(fileToDecrypt) as rf: # Read resource file + convert hexa string to hexa bytes # Read key file + convert hexa string to hexa bytes We’ll demonstrate how attackers are finding new ways to package the malware to go undetected and share critical mitigations to stay protected.ĬyberArk labs used a Python script to decrypt the resources of the Pony sample. This research explains why this sample of Pony’s malware was able to fly under the radar of Antivirus engines. Traditional security defenses attempt to protect against the malware, it’s evolving and has become increasingly difficult to detect. Figure 2 VirusTotal analysis resultĪlarmingly, this particular sample was only marked malicious by 18 of the 69 Antivirus (AV) engines, meaning it wouldn’t have been blocked by most. While it is no longer available, it was online for two weeks. Figure 1 Main malware families detected in the past six monthĬyberArk Labs researchers found a new sample of Pony’s malware planted on a secured and famous educational and job website ( ) as Purchase.exe. ransomware, dropper, etc.) CyberArk Labs recently discovered a sample of a new variety of Pony. –This malware has been seen in the wild in many forms (i.e. Since its first appearance in 2011, the credential theft malware Pony has been extremely active and is responsible for stealing more than three million sets of credentials. Pony is the most widespread type of malware, representing around 39% of the active credential theft malware around the world according to BlueLiv’s report on Credential Theft Malware.
0 kommentar(er)
