 |
| Gift for SweetTail-Fox-mlp by Mad-N-Monstrous |
Small data drop about another Pony fork : Fox stealer.
First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.
Advert :
2016-08-11 – Sold underground by a user going with nickname “Cronbot”
——–
Стилер паролей и нетолько – Fox v1.0
Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.
О продукте :
1. Умеет все что умеет пони. + добавлен новый софт.
2. Актуален на 2016 год.
3. Написан на С++ без дополнительных библиотек.
4. Админка от пони.
Условия :
1. Только аренда.
2. Распространяется в виде EXE и DLL.
3. Исходники продавать не будем.
Аренда 250$ в месяц.
Исходники 2000$ разово.
We are releasing the product for general sale. Final stage of testing for this product is already underway.
About the product:
1. Is able to do everything that pony does. + new software has been added.
2. Relevant for 2016.
3. Written in C++ without additional libraries.
4. Admin from pony.
Conditions:
1. For rent only.
2. Distributed as an EXE and DLL.
3. We will not be selling the source.
Rent is $250 a month.
Originals are a 2000$ one time fee.
It’s being loaded (with Locky Affid 13) by the Godzilla from (aka AfraidGate) group .
 |
| MISP taxonomy tags reflecting ScriptJS activity in the last months |
(note : it’s not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )
 |
| 2016-09-26 – ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13 Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2 |
 |
| Fox stealer (PonyForx) fingerprint in Cuckoo |
Sample :
blognetoo[.]com/find.php/hello
blognetoo[.]com/find.php/data
[1] ScriptJS’s Pony :
master.districtpomade[.]com|188.166.54.203 – 2015-08-15 Pony C2 from ScriptJS
js.travelany[.]com[.]ve|185.80.53.18 – 2015-12-10 Pony C2 from ScriptJS
Read More :
