Pony

CVE-2015-0311 has been first seen exploited by Angler EK ... soon after used in "standalone" mode in huge malvert campaign ... Top adult site xHamster involved in large malvertising campaign

In recent weeks, we detected a marked increase in email campaigns attempting to install Locky... This particular campaign... used malicious document attachments... Outside of the very large campaign detected on April 7th, the ransomware in many of these campaigns is being installed via JavaScript attachment files rather than documents.

The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.

On September 26, Proofpoint researchers observed a campaign with hundreds of thousands of email messages targeting US recipients. The emails used an eFax lure and contained a URL linking to the download of a document containing malicious macros.

APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.

CVE-2015-0311 has been first seen exploited by Angler EK ... soon after used in "standalone" mode in huge malvert campaign ... CVE-2015-0311 has been integrated today in RIG ... Fiesta successfully exploit Windows XP IE8 Flash 16.0.0.257 using CVE-2015-0311 ... Nuclear Pack successfully exploit ... using CVE-2015-0311 ... Sweet Orange firing exploit for CVE-2015-0311 ... Neutrino firing his bundle of Sploit ... Magnitude - CVE-2015-0311 exploited successfully

The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.

Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.

To keep them under the antivirus radar, Nigerian actors techniques use "crypters" - software tools designed to encrypt, obfuscate, and modify malware.

"Bumblebee has been delivered as password-protected zipped ISO files" / "Flagpro has been delivered within ZIP or RAR password-protected archived files." / "TA505 has password-protected malicious Word documents."

Anchor has used cmd.exe to run its self deletion routine. Gelsemium can use a batch script to delete itself. Pony has used batch scripts to delete itself after execution. Lazarus Group used a batch file mechanism to delete its binaries from the system.

The info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month).

Information stealers seem to be the preferred type of malware to help in their fraudulent email attacks... The attacker can pilfer data about the targets and use it to create efficient messages for diverting transactions or asking money to be sent to fraudsters' account.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

“actors used the following commands… to enumerate user accounts: net user >> %temp%\download; net user /domain >> %temp%\download … APT1 used the commands net localgroup, net user, and net group to find accounts… APT32 enumerated administrative users using the commands net localgroup administrators … OilRig has run net user, net user /domain, net group "domain admins" /domain …”

Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."

The info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month).

Once deployed, the malware communicated with the attackers’ command-and-control (C&C) servers using common protocols like SMTP, FTP, and HTTP.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

The Hancitor malware, first observed in 2015, is a downloader known to deliver several other malware. In its first years, Hancitor was observed delivering information stealers such as Pony or Vawtrak, and in recent years, Ficker stealer and NetSupport RAT. In 2021, Hancitor was observed delivering the Cobalt-Strike attack framework...

Examples include: "FIN4 has used HTTP POST requests to transmit data," "SolarWinds Compromise, APT29 used HTTP for C2 and data exfiltration," and "PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server."

The stolen credentials were then sent to predefined email addresses controlled by the attackers, enabling unauthorized access to victims’ accounts and systems.

Scammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.