Gift for SweetTail-Fox-mlp
 by Mad-N-Monstrous


Small data drop about another Pony fork : Fox stealer.
First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.

Advert :
2016-08-11 - Sold underground by a user going with nickname "Cronbot"

--------
Стилер паролей и нетолько - Fox v1.0

Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.

О продукте : 
1. Умеет все что умеет пони. + добавлен новый софт.
2. Актуален на 2016 год.
3. Написан на С++ без дополнительных библиотек.
4. Админка от пони.

Условия : 
1. Только аренда.
2. Распространяется в виде EXE и DLL.
3. Исходники продавать не будем.

Аренда 250$ в месяц.
Исходники 2000$ разово.

---- Google Translated : ----

Stiller and passwords netolko - Fox v1.0

We produce a product to sell. Already passed the final stage of testing of the product.

About the product:
1. Able to all that he can pony. + Added new software.
2. is actual for 2016.
3. Written in C ++ without any additional libraries.
4. Admin on ponies.

Conditions :
1. Only the rent.
2. Provided as EXE and DLL.
3. Sources will not sell.

Rent $ 250 per month.
Sources $ 2,000 one-time fee.

--------

It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .

MISP taxonomy tags reflecting ScriptJS activity in the last months
(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )

2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13
Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2

Fox stealer (PonyForx) fingerprint in Cuckoo

Sample :
cca1f8ba0be872ec86755e3defbb23c8fe4a272a6b4f7ec651302c5cddc5e183
Associated C2:
blognetoo[.]com/find.php/hello
blognetoo[.]com/find.php/data
blognetoo[.]com|104.36.83.52
blognetoo[.]com|45.59.114.126
Caught by ET rule :
2821590 || ETPRO TROJAN Win32.Pony Variant Checkin

[1] ScriptJS's Pony :
master.districtpomade[.]com|188.166.54.203 - 2015-08-15 Pony C2 from ScriptJS
​js.travelany[.]com[.]ve|185.80.53.18 - 2015-12-10 Pony C2 from ScriptJS

Read More : 
http://pastebin.com/raw/uKLhTbLs few bits about ScriptJS
Inside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27
Pony 1.9 (Win32/Fareit) - 2013-05-23 - Xylitol
Loading