Incident Response, Malware, TDR

Pony Loader 2.0 now steals cryptocurrency wallets, still spreads other malware

Pony Loader, a years-old information stealer trojan previously used to spread Zeus and Necurs trojans and Cryptolocker and Cribit ransomware, has been updated to steal cryptocurrency wallets – lots of cryptocurrency wallets.

Pony Loader 2.0, also referred to as Fareit, has been circulating since earlier this year, but the source code was put up for sale in May, leading researchers with security company Damballa to expect an uptick in malware fitted to steal cryptocurrency wallets.

The cryptocurrency wallets targeted by Pony Loader 2.0 include Bitcoin, Litecoin, MultiBit, Namecoin, Terracoin, Primecoin, Feathercoin, NovaCoin, MegaCoin, Digitalcoin, Zetacoin, Fastcoin, Tagcoin, Bytecoin, Florincoin, and Luckycoin, but even more are listed in a Tuesday blog post.

“This [cryptocurrency-stealing] ability across all those wallets is being marketed by the sellers,” Isaac Palmer, malware reverse engineer with Damballa, told in a Friday email correspondence. “That in my opinion is not surprising. The attackers are motivated to get as much financial gain as possible.”

The sellers, who are believed to be from Russia, are additionally marketing other features and upgrades as well – several of which are related to improvements in password collecting, but others that include added options and bug fixes, according to the post.

Pony Loader 2.0 still maintains its ability to steal credentials and spread other malware, as well as contains a list of words used to brute-force user accounts, according to the post.

So far Damballa has observed numerous Pony Loader 2.0 infections across the globe, Palmer said, explaining that people may be infected with the trojan through malicious links in emails or via exploit kits such as Sweet Orange, Nuclear, Neutrino, and BlackHole.

[An earlier version of this story was updated to clarify certain exploit kits].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.