IcedID Banking Trojan Shares Code with Pony 2.0 Trojan

Written by Jay Rosenberg - 13 November 2017

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Get Free Account

    Join Now

    IBM X-Force recently released an excellent report  on a new banking trojan named IcedID that is being distributed using computers already infected with Emotet. We took the MD5 of one of the droppers from the IBM report and extracted the payload.  After extracting the payload from one of the droppers listed in the report, using Intezer Analyze™, we have found code reuse from another malware named Pony, written about in a report by Proofpoint.

    Pony is a trojan that was being distributed via the Hancitor downloader, distributed through Microsoft Word documents. The version of Pony used in the reports is believed to be the same threat actor as Vawtrak. It was also sold via underground forums until the source code was leaked online.

    Pony is a trojan that was being distributed via the Hancitor

    (Intezer Analyze ™ report)

    Using the dive-in feature with the related Pony samples, we can see the following:

    Pony is a trojan that was being distributed via the Hancitor

    (Dive-in feature of Intezer Analyze™)

    With this information alone, it will be hard to attribute this sample to a certain threat actor due to the public availability of the source code of Pony.

    Let’s take a look at some of the matching functions.

    code of Pony

    As we can see here, the function in these two samples is a 1:1 match. The function above is called GrabOutlook in the Pony source code and is responsible for stealing passwords from Outlook.  (You may notice a difference because the strings appear decrypted in the sample on the left as it looks like Proofpoint dumped the sample with the strings already decrypted before uploading to VirusTotal.)

    VirusTotal

    (GrabOutlook function from Pony 2.0 source code)

    More specifically, we can tell the threat actor used code from version 2.0 of Pony because in the Pony 1.9 source code, we do not see calls to DecipherList which is responsible for decrypting the strings.

    DecipherList

    (GrabOutlook function from Pony 1.9 source code)

    Other shared functions from Pony:

    • OutlookExport
    • OutlookReadPSItemValue
    • OutlookScanPasswords
    • OutlookScanProfiles
    • PocomailScanReg
    • IncrediMailScanReg
    • CRC32Update
    • CommonCryptUnprotectData
    • MapFile
    • PonyStrCat
    • PonyStrCatFreeArg1
    • DecipherList
    • UnicodeToAnsiLen
    • FileExists
    • StreamUpdateModuleLen
    • StreamWriteModuleHeader

    There may be other functions from Pony, but we can see that the shared code is mostly related to stealing e-mail credentials.

    Time and time again, we see threat actors reusing the same code. If we look at reused code, it makes it easier to detect malware. Such small code reuse makes it very difficult to get these kinds of conclusions by manually reverse engineering a file.  The ability to automate the finding of code reuse makes our job as malware analysts easier.

    Report Samples:

    • IcedID Dropper: 29f7469f8dc88820f72a9bdcb02badc1a40aa41b3f4b7f8caaa30409b3842aea
    • IcedID Payload: a6531184ea84bb5388d7c76557ff618d59f951c393a797950b2eb3e1d6307013
    • Pony: b19ec186f59b1f72c768ed2fcd8344d75821e527870b71e8123db96f683f1b68
    Jay Rosenberg

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt