Pony credential stealer trampling users via Microsoft Publisher documents

Multiple levels of obfuscation shelters the malware from prying eyes.

Pony credential stealer trampling users via Microsoft Publisher documents

The credential-stealing Pony malware is masquerading as Microsoft Publisher documents in an effort to infect unsuspecting users.

The campaign begins when an attack email containing a Microsoft Publisher document saunters over to an unsuspecting user.

MS Publisher malware email

To be clear, this isn't the first time attackers have married malware-laden spam and Publisher files together. But it's an uncommon attack vector in comparison to malicious Microsoft Word, Excel and even PowerPoint documents.

Those individuals behind this campaign don't seem too worried about that. Otherwise, they would have tried to have concealed the attachment's file type, such as by hiding it within a compressed .ZIP file. Instead they use some social engineering techniques to bait the user into clicking on the attachment. If they succeed, the user opens the document, which soon after appears to crash.

Image00

Of course, that's what the attackers want a user to believe.

In the background, there's a 2MB macro that's up to no good. The file capitalizes on the user's confusion by writing a "letten.js" file onto disk. This file comes with its own protective measures.

As researchers at Cisco Talos explain in a blog post:

"Initially we find a heavily obfuscated piece of Javascript -- remember this is the cool kids' language of choice now -- but we can easily overcome this obfuscation. The obfuscation is divided into 2 layers. The first layer decrypts data in order to perform an eval() on the clear text. Not surprisingly the eval reveals another layer of obfuscated Javascript!"

Below those levels of obfuscation lays code designed to download a binary to the user's TEMP folder. That binary is Pony, malware which is known for installing Vawtrak and other malware onto infected machines. On its own, the downloader has the ability to steal users' credentials and send them back to a command and control (C&C) server.

Users can best protect against this attack campaign by not clicking on suspicious links and email attachments.

Also, while the malspam emails reference a "financing requirement," users should exercise a healthy dose of caution and wonder why anyone would use Microsoft Publisher to send over such an important document.

I'm sure it happens somewhere, but most legitimate companies would opt for Word or PDF files instead.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

No comments yet.

Leave a Reply