New version of the loader went for sale on underground market

Jun 26, 2014 11:45 GMT  ·  By

Pony loader has been updated recently and the list of new features advertised by cybercriminals on underground forums includes the ability to steal crypto-currency wallets from multiple clients.

This particular build of the loader is currently sold on criminal markets as version 2.0 and comes after the source-code for the version 1.9 has been leaked on the Internet, allowing other groups to build on the previous features.

Researchers from Damballa analyzed a sample of the fresh Pony loader version and determined that a large number of digital currency clients for multiple types of digital money are targeted.

The list identified by the researchers includes Electrum, MultiBit, Litecoin, Namecoin, Terracoin, Bitcoin Armory, PPCoin (Peercoin), Primecoin, Feathercoin, NovaCoin, Freicoin, Devcoin, Frankocoin, ProtoShares, MegaCoin, Quarkcoin, Worldcoin, Infinitecoin, Ixcoin, Anoncoin, BBQcoin, Digitalcoin, Mincoin, Goldcoin, Yacoin, Zetacoin, Fastcoin, I0coin, Tagcoin, Bytecoin, Florincoin, Phoenixcoin, Luckycoin, Craftcoin, Junkcoin and the original Bitcoin client.

Apart from this, Damballa says that plenty of the capabilities available in the previous version of the loader have been preserved and updated for greater impact.

Among them, it's worth mentioning brute-forcing user accounts based on a dictionary that has been updated with new passwords.

However, cybercriminlas also seem to have implemented the possibility to decode passwords saved by a large number of programs, which include digital currency clients, FTP managers, email clients, file managers, as well as web browsers.

In the case of Bitcoin clients, the wallet file is not encrypted by default and many users run the risk of losing their digital money. “Anyone who can access an unencrypted wallet can easily steal all of your coins,” says the Bitcoin wiki page. To prevent theft, experts recommend the use of encryption programs.

Researchers from Damballa analyzed a sample of the fresh Pony loader version and noticed that it connected to a domain hosted on CloudFlare global content delivery network (CDN), which would mask suspicious traffic.

CloudFlare has been alerted and the hosting account has been suspended, thus preventing any communication with the command and control server.

Pony loader is also known as Fareit and besides its infostealing components, it is also used to download other malicious content; one example is the GameOver Zeus Trojan, which was retrieved from compromised web locations or servers under the control of the cybercriminals.

The loader contains a builder for the malware binary and, according to Damballa, creating the virus requires only a few clicks.

Given that the new version is already up for sale, Damballa expects an increase in criminal activity targeting digital currency.