Researchers at Cisco Talos report that the Pony malware has started using an unusual distribution campaign. The notorious credential harvester has been hiding behind Microsoft Publisher documents. This file type is not a usual host for malware.
This is not an isolated case, as .pub files have been used to transfer infections before. In September of last year, researchers uncovered data-stealing malware which was hiding behind Microsoft Publisher files. The infection was working on a large scale, stealing corporate information from companies in China, the United Kingdom, and other locations.
Microsoft Word and Excel documents are the usual distribution clients for malware. PowerPoint presentations are a rare option, while Microsoft Publisher files are an uncommon propagation vector.
This has nothing to do with the level of effectiveness, as the campaigns spreading the Pony malware utilize an advanced obfuscation technique. This allows the infection to bypass security software.
The .pub file containing the Pony malware is sent to users per email. The spam campaign applies the usual tricks to get recipients to access the attachment. They write a formal correspondence letter and ask people to get acquainted with a fake document.
To conceal the install of the malware, the attackers use social engineering techniques. They add a 2 megabyte macro to the attachment which starts working on the background once the file has been opened.
The Microsoft Publisher document crashes a few moments after the victim opens it. In the meantime, the macro writes a “letten.js” file onto the hard drive. This file has its own protection mechanisms which allow it to avoid detection.
In a blog post, Cisco Talos researchers explained the infiltration pattern of the Pony malware. “Initially we find a heavily obfuscated piece of Javascript — remember this is the cool kids’ language of choice now — but we can easily overcome this obfuscation. The obfuscation is divided into 2 layers. The first layer decrypts data in order to perform an eval() on the clear text. Not surprisingly the eval reveals another layer of obfuscated Javascript!”, the experts concluded.
The JavaScript code is hidden behind advanced levels of obfuscation. The code downloads and installs a binary to the system’s TEMP folder. The binary is the Pony malware. It should be noted that this infection can install other malicious programs to the targeted machine. Pony is known to distribute rogue programs like Vawtrak.
The main function of Pony is to steal login credentials. The malware works as a keylogger, recording the user’s keystrokes. The gathered input is then sent to a command and control (C&C) server. Pony provides people’s login data to hackers. They can use them to break into your personal and financial accounts.
The best measure you can take to protect your system from such attacks is to filter spam emails. Look for suspicious signs in the message. In this case, the topic of the emails does not suit the file type. The spam letters which distribute the Pony malware list the topic as “financial requirement”. Storing this kind of data in a Microsoft Publisher file is unconventional. The information should be stored in a Microsoft Word or .pdf document.
