IcedID Banking Trojan Shares Code with Pony 2.0 Trojan - Intezer

Blog

Cybersecurity DNA

IcedID Banking Trojan Shares Code with Pony 2.0 Trojan

IBM X-Force recently released an excellent report  on a new banking trojan named IcedID that is being distributed using computers already infected with Emotet. We took the MD5 of one of the droppers from the IBM report and extracted the payload.  After extracting the payload from one of the droppers listed in the report, using Intezer Analyze™, we have found code reuse from another malware named Pony, written about in a report by Proofpoint.

Pony is a trojan that was being distributed via the Hancitor downloader, distributed through Microsoft Word documents. The version of Pony used in the reports is believed to be the same threat actor as Vawtrak. It was also sold via underground forums until the source code was leaked online.

(Intezer Analyze ™ report)

Using the dive-in feature with the related Pony samples, we can see the following:

(Dive-in feature of Intezer Analyze™)

With this information alone, it will be hard to attribute this sample to a certain threat actor due to the public availability of the source code of Pony.

Let’s take a look at some of the matching functions.

As we can see here, the function in these two samples is a 1:1 match. The function above is called GrabOutlook in the Pony source code and is responsible for stealing passwords from Outlook.  (You may notice a difference because the strings appear decrypted in the sample on the left as it looks like Proofpoint dumped the sample with the strings already decrypted before uploading to VirusTotal.)

(GrabOutlook function from Pony 2.0 source code)

More specifically, we can tell the threat actor used code from version 2.0 of Pony because in the Pony 1.9 source code, we do not see calls to DecipherList which is responsible for decrypting the strings.

(GrabOutlook function from Pony 1.9 source code)

Other shared functions from Pony:

  • OutlookExport
  • OutlookReadPSItemValue
  • OutlookScanPasswords
  • OutlookScanProfiles
  • PocomailScanReg
  • IncrediMailScanReg
  • CRC32Update
  • CommonCryptUnprotectData
  • MapFile
  • PonyStrCat
  • PonyStrCatFreeArg1
  • DecipherList
  • UnicodeToAnsiLen
  • FileExists
  • StreamUpdateModuleLen
  • StreamWriteModuleHeader

 

There may be other functions from Pony, but we can see that the shared code is mostly related to stealing e-mail credentials.

Time and time again, we see threat actors reusing the same code. If we look at reused code, it makes it easier to detect malware. Such small code reuse makes it very difficult to get these kinds of conclusions by manually reverse engineering a file.  The ability to automate the finding of code reuse makes our job as malware analysts easier.

Report Samples:

  • IcedID Dropper: 29f7469f8dc88820f72a9bdcb02badc1a40aa41b3f4b7f8caaa30409b3842aea
  • IcedID Payload: a6531184ea84bb5388d7c76557ff618d59f951c393a797950b2eb3e1d6307013
  • Pony: b19ec186f59b1f72c768ed2fcd8344d75821e527870b71e8123db96f683f1b68
By Jay Rosenberg

Jay Rosenberg is a self-taught reverse engineer from a very young age (12 years old), specializing in Reverse Engineering and Malware Analysis. Currently working as a Senior Security Researcher in Intezer.

Try it now

© Intezer.com 2017 All rights reserved