Thursday, June 26, 2014

Throwback Thursday


Broke some older panels posted on CyberCrime Tracker.

These 'stealer' style malwares are designed to go after password caches on victim machines and transmit the stolen credentials (or product keys) to the C&C server.

C24 Stealer


iStealer



These kits are only used by HF skid trash. 

;-)

Saturday, June 21, 2014

Pony Loader 2.0

Pony 2.0

- = - Collection system passwords "Pony" - = -
-=- Система сбора паролей "Pony" -=-

While hacking about on some Russian bad boys servers I found some interesting files. At first it looks like the same old Pony 1.9, because the builder and panel say Pony 1.9, but the change log says: "Pony 2.0" with no release date. However, the builder was compiled in June 2014.

After reviewing the builder and panel, I can confirm it is an updated version of Pony 1.9, very similar but with some new additions. See the change log for complete list of updates. 


Notable New Features in Pony 2.0:
- Implemented resident mode for the loader and collect passwords
- Implemented a collection of purses for Bitcoin clients
- Collecting proxy settings/credentials from browsers
- TDS "Flow Control" feature in loader panel



Pony Builder

The builder is an application that takes a configuration and builds the actual malware file which is then executed on a victim machine. Upon execution, the malware collects the desired passwords stored on the victim machine, sends them to the criminals, and then downloads or 'loads' another piece of malware, for example ZeuS. This is where it gets the name Pony Loader. 


Translation of help file:
Builder "PonyBuilder.exe"
Task Builder - configure and compile the client "Pony.exe", which must progruzhat on infected computers. Contents:
Folder "masm32" - compiler Microsoft Macro Assembler (MASM).
Folder "PonySrc" - source code in MASM client program (grabber) "Pony.exe".
Folder "BuilderSrc" - source code in Delphi 7 auxiliary program-Builder "PonyBuilder.exe".
File "PonyBuilder.exe" - program-builder for the client "Pony.exe".
File "help.txt" - help file.
File "build.bat" - script used to compile the Builder build from source "PonySrc".
File "Pony.ico" - icon is attached to "Pony.exe" when compiling if bildere select the corresponding option.

Files from Pony 2.0 Builder


PonyBuilder.exe
- It was packed with UPX
- Compile date: June 17th 2014

Pony Loader 2.0 - PonyBuilder.exe packed with UPX

Pony Loader 2.0 - PonyBuilder.exe unpacked 

Pony 1.9 Builder:
Pony Loader 1.9 - PonyBuilder.exe - Compiled Dec 22, 2012



Interface is divided into four tabs:

Builder
  • Text box "Domain list to send the password" - here you can assign a list of URL gates to send the password.Each line - separate URL, for example: http://somedomain.com/dir/gate.php You can add an unlimited number of rows (URL), the same URL, you can add a few times. Domain can contain information about the port connection, for example: http://privatedomain.com:8080/gate.php . Protocol https:// is not currently supported.
  • "Pony.exe" will attempt to connect and send the report to the passwords on the list, if the data is successfully delivered, the program quits immediately without attempting to connect to the rest of the URL.
  • Button "Select Icon" allows you to set an icon for the source file is only supported format *. ico.
  • Button "Create build" compiles the file "Pony.exe" with the specified settings.
Builder tab


Loader
  • Simple loader (boot files). After collecting passwords with these links (URL) will be loaded and running files. URL specified in the same way as the list of domains to send the password. In the lower part of the tab, you can specify the following options:
  • Activate loader - include work loader, otherwise the files will not be loaded.
  • Do not run the same files twice - after the successful launch of the downloaded file in the registry will be added to the reference value (hash) of the data file, and then, when reloading, the duplicate will not run.

Loader tab - Compared to Pony 1.9


Settings
To see all the settings, you must activate the option "Show advanced settings" in the main menu.
  • Compress - compress reports using library aPLib, adds about 5Kb to the size of the executable file, text data pack well before sending, it is strongly recommended to use, greatly reduces the traffic to the server.
  • Encrypt - encrypt reports algorithm RC4.
  • Encryption Password - the password that encrypts reports similar password must be installed in the server configuration.
  • Save reports to disk (for debugging) - When you run "Pony.exe", after the passwords were collected in the same location where he was running the executable file will be created "out.bin", a container with passwords in a form in which it is sent to the server for further processing (decryption).
  • Send blank reports (for statistics) - usually, if no password is found, the client "Pony.exe" anything sent to the server will not, but sometimes useful to switch this option to get statistics on the number of successful launches "Pony.exe".
  • Debug mode - removes interceptor exceptions used exclusively for debugging purposes.
  • Send only new reports - if this option is not activated, then duplicate records with passwords will not be sent.
  • Samoudalenie - running file "Pony.exe" will be removed after complete its work.
  • Add icon - selected icon to attach a file to be compiled.
  • Packing build using UPX - compress executable "Pony.exe" after compilation.
  • Number of attempts to send the report - how many times to try to send a report when an unsuccessful transmission, it is recommended to specify at least two attempts. 
Option to build:
  • Exe-file - a regular executable file Windows (*. exe)
  • Dll-file - version of the assembly in the form. dll library, it is autonomous, for testing, you must call from your project only API-function LoadLibrary (), ie URL to send the password and all settings are sewed in itself. Dll file. In the folder DllTest is a simple example of testing in the same folder, you must put the file Pony.dll, then run the file DllTest.exe, which in turn calls LoadLibrary () for. Dll library.
  • In the list of "Available modules decryption" can be excluded from the build unnecessary decipherers passwords, it will reduce the size of the build.
Settings tab - Note new Bitcoin feature



Skin
On this tab, you can choose a favorite skin (peel) Builder.
Skins tab




Pony 2.0 Panel


Admin login:
Not leaked for TrojanForge ;-)


Home:
I didn't feel like installing the needed components - just looking. 


Others:
Bitcoin wallets and proxy lists are now stolen.

Email - Certificates - Bitcoin Wallets - RDP credentials - Proxy list




Loader:

This is one notable new feature - a simple "Flow Control" traffic distribution system TDS. (Translated to English) Giving the admin control over what will be loaded based on OS or country.





Change log from Pony 1.9 posted by Xylitol

Change log for Pony 2.0:
(Russian)
Pony 2.0
------------------------------------------------
Клиент (Pony.exe).
[!] Реализован резидентный режим для лоадера и сбора паролей
[!] Реализован сбор кошельков Bitcoin для оригинального клиента, а также Electrum, MultiBit, Litecoin, Namecoin, Terracoin,
    Bitcoin Armory, PPCoin (Peercoin), Primecoin, Feathercoin, NovaCoin, Freicoin, Devcoin, Frankocoin, ProtoShares, MegaCoin,
Quarkcoin, Worldcoin, Infinitecoin, Ixcoin, Anoncoin, BBQcoin, Digitalcoin, Mincoin, Goldcoin, Yacoin, Zetacoin, Fastcoin,
I0coin, Tagcoin, Bytecoin, Florincoin, Phoenixcoin, Luckycoin, Craftcoin, Junkcoin
[!] Лоадер может запускать .DLL файлы из памяти (без сброса на диск)
[+] Реализован сбор паролей из Я.Браузер, FTP Disk, новых версий Opera (основанных на коде Chrome)
[*] При работе программы от имени пользователя SYSTEM (сервиса Windows) лоадер теперь будет запускать файл с правами активной сессии (залогиненного) пользователя
[*] Доработан сбор паролей Firefox, теперь не зависит от наличия библиотек SQLite3
[*] При отправке паролей теперь поддерживаются HTTP редиректы (Location: http://...)
[+] Опциональный резервный режим загрузчика: если успешно загружен первый файл - остальные будут пропущены
[+] Добавлена возможность отключить сбор паролей (оставить только лоадер)
[+] Сбор информации вместе с паролями об установленных прокси серверах в браузерах
[+] При возможности самоудаление будет произведено без сброса .bat файла на диск
[-] Исправлен процессинг SQLite3 файлов для Chrome / Firefox содержащих 48 bit integers
[-] Исправлен серьезный баг в нескольких функциях, который мог приводить к ошибкам при сборе паролей и вылету программы
Билдер (PonyBuilder.exe).
[+] Добавлены подсказки
[+] Добавлена возможность отключить скины
[*] Обновлены компоненты AlphaControls (скины) до версии v9.01
[*] Компилятор masm32 (ml.exe) заменен на JWASM, билд теперь собирается быстрее
[*] Обновлен и улучшен инструментарий билдера
[*] Билдер перенесен на Delphi XE5
[*] Обновлен паковщик UPX до версии 3.91w
[-] Было невозможно сохранить большое количество строк в списках URL
[-] Исправлены проблемы с кодировкой GUI
Сервер (PHP).
[+] Добавлена совместимость с PHP 5.4+
[+] Полная поддержка CuteFTP 9, 9.0.4 и 9.0.5
[+] Статистика по Bitcoin клиентам
[+] Добавлено определение ОС Windows 8.1 и Windows Server 2012 R2
[+] Добавлена возможность скачать только SMTP доступы из листа E-mail
[+] Некоторые ошибки (особенно те, которые невозможно отправить в лог админки) будут добавлены в error лог PHP
[*] Исправления ошибок в JavaScript
[*] Локализованный JavaScript код перенесен в Smarty
[*] Обновлен шаблонизатор Smarty до версии 3.1.17
[*] Устранены CSRF уязвимости
[*] Закладка "Домены" и весь ее функционал теперь отключены по умолчанию, включить можно в config.php ($show_domains = true)
[*] Улучшен сбор паролей и обработка конфигов в FTP Voyager
[*] Обновлена база GeoIP
[*] Улучшен код работы с БД MySQL
[-] Редкие предупреждения PHP, появляющиеся при создании графиков, могли их "сломать"
[-] Исправлен обработчик ошибок дешифровки в CuteFTP
[-] Исправлен сбор паролей для некоторых версий WiseFTP
[-] Для некоторых модулей устранены ошибочные сообщения в логах при чтении БД SQLite3
[-] При отключенном шифровании отчеты добавлялись некорректно, что приводило к импорту дублирующих отчетов в БД
[-] Исправлены множественные ошибки парсинга XML при обработке конфигов Directory Opus
[-] Исправлена дешифровка паролей в WinSCP




Change log:
(Google translation)

Pony 2.0
------------------------------------------------
Client (Pony.exe) 
[!] Implemented resident mode for the loader and collect passwords
[!] Implemented a collection of purses for the original Bitcoin client and Electrum, MultiBit, Litecoin, Namecoin, Terracoin,
    Bitcoin Armory, PPCoin (Peercoin), Primecoin, Feathercoin, NovaCoin, Freicoin, Devcoin, Frankocoin, ProtoShares, MegaCoin,
Quarkcoin, Worldcoin, Infinitecoin, Ixcoin, Anoncoin, BBQcoin, Digitalcoin, Mincoin, Goldcoin, Yacoin, Zetacoin, Fastcoin,
I0coin, Tagcoin, Bytecoin, Florincoin, Phoenixcoin, Luckycoin, Craftcoin, Junkcoin
[!] Loader can run. DLL files from memory (without reset disk)
[+] Implemented collection of Ya.Brauzer passwords, FTP Disk, new versions of Opera (code-based Chrome)
[*] When the program on behalf of the user SYSTEM (service Windows) will now run the loader file as an active session (logged on) Users
[*] Improved collect passwords Firefox, is no longer dependent on the availability of libraries SQLite3
[*] When sending passwords now supports HTTP redirects (Location: http:// ...)
[+] Optional redundant bootloader mode: if successfully loaded the first file - the rest will be skipped
[+] Added option to disable the collection of passwords (just leave the loader)
[+] Gathering information with passwords on the installed proxies in browsers
[+] If possible samoudalenie will be made without relief. Bat file to disk
[-] Fixed processing SQLite3 files for Chrome / Firefox containing 48 bit integers
[-] Fixed a serious bug in several functions, which could lead to errors in the collection of passwords and reach program

Builder (PonyBuilder.exe)
[+] Added tips
[+] Added option to disable skins
[*] Updated components AlphaControls (skins) to version v9.01
[*] Compiler masm32 (ml.exe) replaced JWASM, is now going to build faster
[*] Updated and improved tools Builder
[*] Builder ported to Delphi XE5
[*] Updated to version packer UPX 3.91w
[-] It was impossible to keep a large number of rows in the URL list
[-] Fixed a problem with the encoding GUI 

Server (PHP) 
[+] Added compatibility with PHP 5.4 +
[+] Full support for CuteFTP 9, 9.0.4 and 9.0.5
[+] Statistics Bitcoin clients
[+] Added detection of OS Windows 8.1 and Windows Server 2012 R2
[+] Added ability to download only SMTP accesses from list E-mail
[+] Some errors (especially those that can not be sent to the admin log) will be added to the error log PHP
[*] Fixed errors in JavaScript
[*] Localized JavaScript code moved to Smarty
[*] Updated Smarty template engine to version 3.1.17
[*] Fixed CSRF vulnerability
[*] Bookmark "Domains" and all of its functionality is now disabled by default, enable it in config.php ($ show_domains = true)
[*] Improved collection and processing config passwords in FTP Voyager
[*] Updated GeoIP database
[*] Improved code with MySQL
[-] Rare warning PHP, appearing when creating graphs, they could "break"
[-] Fixed the error handler decryption in CuteFTP
[-] Fixed collect passwords for some versions WiseFTP
[-] Some modules eliminated error messages in the logs when reading the database SQLite3
[-] If you disable encryption added incorrectly reports that led to the import of duplicate reports in the database
[-] Fixed multiple errors in the processing of XML parsing config Directory Opus
[-] Fixed the decryption passwords in WinSCP


From the help file of Pony 2.0:

"Implemented instantaneous decoding saved passwords for the following programs: "
* FAR Manager
* Total Commander
* WS_FTP
* CuteFTP
* FlashFXP
* FileZilla
* FTP Commander
* BulletProof FTP
* SmartFTP
* TurboFTP
* FFFTP
* CoffeeCup FTP
* CoreFTP
* FTP Explorer
* Frigate3 FTP
* SecureFX
* UltraFXP
* FTPRush
* WebSitePublisher
* BitKinex
* ExpanDrive
* ClassicFTP
* Fling
* SoftX
* Directory Opus
* FreeFTP
* DirectFTP (определяется как FreeFTP)
* LeapFTP
* WinSCP
* 32bit FTP
* NetDrive
* WebDrive
* FTP Control
* Opera
* WiseFTP
* FTP Voyager
* Firefox
* FireFTP
* SeaMonkey
* Flock
* Mozilla Suite Browser
* LeechFTP
* Odin Secure FTP Expert
* WinFTP
* FTP Surfer
* FTPGetter
* ALFTP
* Internet Explorer
* Dreamweaver
* DeluxeFTP
* Google Chrome
* Chromium
* SRWare Iron (определяется как Chromium)
* ChromePlus
* Bromium (Yandex Chrome)
* Nichrome
* Comodo Dragon
* RockMelt
* K-Meleon
* Epic
* Staff-FTP
* AceFTP
* Global Downloader
* FreshFTP
* BlazeFTP
* NETFile
* GoFTP
* 3D-FTP
* Easy FTP
* Xftp
* FTP Now
* Robo-FTP
* LinasFTP
* Cyberduck
* Putty
* Notepad++ (NppFTP)
* CoffeeCup Visual Site Designer
* CoffeeCup Sitemapper (определяется как CoffeeCup FTP)
* FTPShell
* FTPInfo
* NexusFile
* FastStone Browser
* CoolNovo
* WinZip
* Yandex.Internet
* MyFTP
* sherrod FTP
* NovaFTP
* Windows Mail
* Windows Live Mail
* Pocomail
* Becky!
* IncrediMail
* The Bat!
* Outlook
* Thunderbird
* FastTrackFTP
* Я.Браузер
* Bitcoin
* Electrum
* MultiBit
* FTP Disk 


Samples:

Win32.Fareit (Pony Loader)

https://malwr.com/analysis/MTQyNzA5ZTM4NmYyNDczMTk3NDhlZTY2NzViMDA2NGY/
11af34aee811c1caea16df42abf0b44d

https://malwr.com/analysis/MDhjNDdmMzM2OTliNDYyN2E3NTFlMjI3ZGEzMTgyMjQ/
f2659a552502fbffc315f399f8a1f67d

https://www.virustotal.com/en/file/e011ffa7bd71d098a032059b10983193fb1df5788f61f317b0f694ee6963d5e4/analysis/1403350847/

https://www.virustotal.com/en/file/f8b2b99e850dffd3c838f6d9185e5f01d38dbbb3eade57d14a88357ce77a9da8/analysis/1403350876/

Thursday, June 5, 2014

McDumpals - I'm swipin' it

McDumpals is a carding shop. Brian Krebs recently wrote an article about this one and since I have some screenshots I will share the archive.

Advertisements for the shop:


McDumpals Advertisement




mcdumpals were not selling burgers
McDumpals.me
We're not selling burgers
I'm swipin' it


Scary Clown:





When you get to the site, it's like no other carding shop you have seen before.

They put a bit of stealth on this one.


Landing page:

McDumpals


Full size view:
McDumpals Landing Page



Login page:
mcdumpals



Account:
mcdumpals

FAQ:
mcdumpals

Support:
mcdumpals


ToS:
mcdumpals


Wallet:
mcdumpals


Dumps:
mcdumpals




Notes:

These screenshots are a few months old. I tried to login again and the site seems to be broken at the moment.

Admin contacts:
ICQ: 997711
Jabber: mcdumpals@xmpp.ru