The source code for version 2.0 of the information-stealing Trojan called Pony Loader, also known as Fareit, has been put up for sale by malware authors, Damballa announced on Tuesday.
Ever since the source code for Pony 1.9 was leaked online, malware developers have been improving the Trojan’s capabilities. In December 2013, researchers from Trustwave’s SpiderLabs identified an instance that had been used by cybercriminals to steal credentials for around 2 million accounts.
Pony 2.0 surfaced in early 2014 with a new feature that enables cybercriminals to steal virtual currency wallets. In February, SpiderLabs reported that a Pony botnet had been used to steal about $220,000 worth of Bitcoin, Litecoin and other crypto-currencies after compromising 85 wallets.
The source code for Pony 2.0 was put up for sale in May and, according to Damballa, we should expect to see an increase in this type of Bitcoin-stealing malware with customized capabilities, especially since the builder which enables cybercriminals to create new instances with just a few mouse clicks is sold along with the source code.
The malware authors claim that the new version of the Trojan is designed to target several types of virtual currencies besides Bitcoin, including Litecoin, Electrum, Namecoin, Terracoin, PPCoin, Primecoin, Feathercoin, Freicoin, Devcoin, Frankocoin, , MegaCoin, Quarkcoin, Worldcoin, Infinitecoin, Anoncoin, Digitalcoin, Goldcoin, Yacoin, , Fastcoin, Tagcoin, Bytecoin, Phoenixcoin, and Luckycoin.
Version 2.0 of the Trojan also comes with improved password-stealing capabilities and bug fixes. The threat is capable of harvesting passwords by decoding saved passwords for several popular applications, or by using a list of common passwords to brute-force user accounts.
“Given the capability to steal stored credentials from a wide variety of software, users should consider storing their passwords and bitcoin private keys using these programs risky,” Isaac Palmer, a malware reverse engineer at Damballa, explained in a blog post.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
