The credential-stealing Pony malware is masquerading as Microsoft Publisher documents in an effort to infect unsuspecting users.
The campaign begins when an attack email containing a Microsoft Publisher document saunters over to an unsuspecting user.
To be clear, this isn’t the first time attackers have married malware-laden spam and Publisher files together. But it’s an uncommon attack vector in comparison to malicious Microsoft Word, Excel and even PowerPoint documents.
Those individuals behind this campaign don’t seem too worried about that. Otherwise, they would have tried to have concealed the attachment’s file type, such as by hiding it within a compressed .ZIP file. Instead they use some social engineering techniques to bait the user into clicking on the attachment. If they succeed, the user opens the document, which soon after appears to crash.
Of course, that’s what the attackers want a user to believe.
In the background, there’s a 2MB macro that’s up to no good. The file capitalizes on the user’s confusion by writing a “letten.js” file onto disk. This file comes with its own protective measures.
As researchers at Cisco Talos explain in a blog post:
Below those levels of obfuscation lays code designed to download a binary to the user’s TEMP folder. That binary is Pony, malware which is known for installing Vawtrak and other malware onto infected machines. On its own, the downloader has the ability to steal users’ credentials and send them back to a command and control (C&C) server.
Users can best protect against this attack campaign by not clicking on suspicious links and email attachments.
Also, while the malspam emails reference a “financing requirement,” users should exercise a healthy dose of caution and wonder why anyone would use Microsoft Publisher to send over such an important document.
I’m sure it happens somewhere, but most legitimate companies would opt for Word or PDF files instead.