PonyForx is a fork of the more popular Pony infostealer. A crook named Cronbot is currently selling a new malware variant on Russian underground hacking forums that appears to be a successful fork of an older and very advanced infostealer called Pony.
Named Fox but currently identified by researchers as PonyForx or Fox Stealer, this new malware is currently at v1.0 and has been put up for sale since around August 11, this year.
Its author says this is a fork of the Pony infostealer, plus additional support for other applications that PonyForx can target and extract information and login credentials.
Pony, also known as Fareit, is an old, reputable (among crooks), and reliable information-stealing malware that can get passwords and all sorts of data from a wide range of applications, from browsers to email clients, and from FTP applications to Bitcoin wallets.
Cronbot says PonyForx is Pony updated “for 2016,” with updated support for today’s most popular apps. The crook is offering his malware for rent as an EXE or DLL file for $250 per month. Even if he’s adamant he’s not selling access to the PonyForx source code, he lists a price for it of $2,000.
PonyForx deployed in live attacks
Security researcher Kaffeine, who spotted the ad, says PonyForx has been used in live attacks.
The researcher discovered a campaign in September that was using the Neutrino exploit kit to deliver the Godzilla malware loader to users. In turn, Godzilla would download the PonyForx infostealer, and after it was done, it would deliver the Locky ransomware.
Below is Cronbot’s ad, translated (via Google Translate) to English, and its original Russian form below.
Stiller and passwords netolko - Fox v1.0
We produce a product to sell. Already passed the final stage of testing of the product.
About the product:
1. Able to all that he can pony. + Added new software.
2. is actual for 2016.
3. Written in C ++ without any additional libraries.
4. Admin on ponies.
1. Only the rent.
2. Provided as EXE and DLL.
3. Sources will not sell.
Rent $ 250 per month.
Sources $ 2,000 one-time fee.
Стилер паролей и нетолько - Fox v1.0
Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.
О продукте :
1. Умеет все что умеет пони. + добавлен новый софт.
2. Актуален на 2016 год.
3. Написан на С++ без дополнительных библиотек.
4. Админка от пони.
1. Только аренда.
2. Распространяется в виде EXE и DLL.
3. Исходники продавать не будем.
Аренда 250$ в месяц.
Исходники 2000$ разово.