Security Experts:

Pony Loader 2.0 Malware Source Code for Sale

The source code for version 2.0 of the information-stealing Trojan called Pony Loader, also known as Fareit, has been put up for sale by malware authors, Damballa announced on Tuesday.

Ever since the source code for Pony 1.9 was leaked online, malware developers have been improving the Trojan's capabilities. In December 2013, researchers from Trustwave's SpiderLabs identified an instance that had been used by cybercriminals to steal credentials for around 2 million accounts.

Pony 2.0 surfaced in early 2014 with a new feature that enables cybercriminals to steal virtual currency wallets. In February, SpiderLabs reported that a Pony botnet had been used to steal about $220,000 worth of Bitcoin, Litecoin and other crypto-currencies after compromising 85 wallets.

The source code for Pony 2.0 was put up for sale in May and, according to Damballa, we should expect to see an increase in this type of Bitcoin-stealing malware with customized capabilities, especially since the builder which enables cybercriminals to create new instances with just a few mouse clicks is sold along with the source code.

The malware authors claim that the new version of the Trojan is designed to target several types of virtual currencies besides Bitcoin, including Litecoin, Electrum, Namecoin, Terracoin, PPCoin, Primecoin, Feathercoin, Freicoin, Devcoin, Frankocoin, , MegaCoin, Quarkcoin, Worldcoin, Infinitecoin, Anoncoin, Digitalcoin, Goldcoin, Yacoin, , Fastcoin, Tagcoin, Bytecoin, Phoenixcoin, and Luckycoin.

Version 2.0 of the Trojan also comes with improved password-stealing capabilities and bug fixes. The threat is capable of harvesting passwords by decoding saved passwords for several popular applications, or by using a list of common passwords to brute-force user accounts.

 "Given the capability to steal stored credentials from a wide variety of software, users should consider storing their passwords and bitcoin private keys using these programs risky," Isaac Palmer, a malware reverse engineer at Damballa, explained in a blog post.


view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.