Pony has been around since 2011, but it’s still the biggest threat when it comes to credential theft, according to data from Blueliv’s report, The Credential Theft Ecosystem. It leads the way at 39%, with LokiPWS and KeyBase trailing behind at 28% and 16% respectively.

Also known as Pony Stealer, Pony Loader, FareIT and a few other names, this malware has been responsible for several high profile attacks, as well as countless other thefts that never made the news. By 2013, a number of large Pony botnets had been seen, with one responsible for the theft of almost two million sets of credentials.

Since then, there was the 2014 campaign that resulted in the theft of 700,000 sets of credentials and $200,000 in cryptocurrencies, as well as a spate of attacks that kicked off in 2015, which combined the triple-threat of Pony, an exploit kit called Angler and a ransomware program known as CryptoWall.

What exactly is Pony?

Pony is more than just code for cryptocurrency or credential theft. It’s actually a botnet controller that targets Windows machines. It features a control panel, database and user management, logging and also statistics, which can be used to build and control its botnets.

Once a computer is infected, Pony runs in the background collecting information about the system, its network activity and the users that are connected to it. It can load other malware onto the target systems or be used to steal credentials and send them to its command and control server. It can also be set up to terminate after the theft or as a standalone executable that stays in the system.

There have been many versions of Pony, with the initial releases having a more limited functionality. It originally transferred data to the command and control server in plain text, but has since added an RC4 layer for protection.

Version 1.9 leaked online and became available en-mass, but when version 2.0 was released, it came with new features such as bug fixes and enhanced password-stealing abilities. The number of applications that it could brute force was expanded, including a range of cryptocurrency wallets.

These new opportunities lead to a resurgence in Pony-based attacks, particularly those targeting the crypto-community. A number of forks were also developed, such as Pony Fox. This decentralization and its widespread availability on the darknet have made Pony more difficult to combat than many of its rival stealers.

Credential theft

Pony can be used to steal credentials and other information from a wide range of sources. These include popular browsers such as Google Chrome or Internet Explorer, FTP applications like FileZilla or SmartFTP, email applications such as Outlook and Windows Live Mail, cryptocurrency wallets such as Electrum and Armory, as well as may others. All up, it can steal information or cryptocurrencies from well over 100 programs.

It does this by either reverse-engineering passwords that have been kept in encrypted storage, or by using brute-force attacks. Once Pony gains access to the data, it sends it to the command and control server where the attackers can access it. They can then either directly steal from their victims with the freshly-stolen bank details or cryptocurrency-wallet credentials, or they can sell the data in bulk on the darknet.

Malware loading

Pony can also be used in more sophisticated attacks that combine several different kinds of malware. One common technique involves attackers using phishing techniques to trick users into downloading Pony. Once Pony is on the system, it is then used to download Vawtrak, which can mount further banking attacks.


As a botnet controller, once Pony infects a computer, it can recruit it into its botnet to launch attacks on other victims. According to Blueliv, the average Pony botnet steals about 8,000 sets of credentials, but can steal up to a million or more.

How does Pony infiltrate systems?

Pony can infect computers in many of the same ways as other malware. These include drive-by downloads, by being hidden in free online software, fake updates for Adobe Flash and similar programs, phishing and other manipulative techniques.

One attack vector that has been seen recently involves using phishing to trick the recipient into opening up a Microsoft Publisher file which contains the malware. Attackers have been using .pub files because Publisher doesn’t have a read-only mode like Microsoft Word does. This means that target users can’t look at the file before downloading it, which means that a convincing email message can help lead to a greater number of infections.

With this method, once the file is opened, it appears to the user that Microsoft Publisher crashes. Underneath this, a 2MB macro file is secretly being uploaded to the target’s computer. Amid the contents of the file is an obfuscated piece of Javascript, which downloads the Pony malware. From this point, Pony operates silently in the background and is either used to download other malware, or to steal credentials and send them to the command and control server.

Keeping safe from Pony

While Pony is often used alongside some more sophisticated tricks, best cyber security practices will help to keep individuals and businesses safe in most circumstances. One of the keys for both personal and business security is to make sure that you, or all of the company’s employees are aware of the latest phishing techniques, such as the .pub document method mentioned above. Regular training needs to be implemented to ensure that all employees are taking this and other aspects of security policy seriously.

It’s also crucial to make sure that anti-virus programs, web browsers and extensions are kept up-to-date so that they can detect the latest malware. Firewalls should also be in place to keep the network perimeter secure. Two-factor authentication is another key security measure for keeping Pony at bay. While it may be able to crack some passwords, it won’t have access to the second factor, which will help to stop the progress of the attack. On top of this, you should also make sure that all of the passwords are long and contain significant amounts of entropy. This will help to prevent Pony from being able to brute-force its way through in the first place.

If you are trying to keep an organization secure from Pony, then only devices that have been vetted by the IT department should be allowed to connect to the corporate network. Restrictions on software downloads on company assets can also help to prevent malicious applications from getting into the corporate network.

Pony is a very capable piece of malware that can cause problems to businesses and individuals in a multitude of ways. If you don’t want your credentials stolen or your funds taken, then you need to be taking the security recommendations mentioned above seriously. Because so much of our data and commerce is now concentrated online, a laid-back attitude to security can only end in one way–wishing you had taken the warnings seriously before it was too late.

Josh Lake
Cyber Security Writer
Josh Lake is a writer who focuses on the intersections between technology, privacy and security. His work helps companies and individuals get the most out of technological developments, without having to sacrifice their civil liberties or open themselves up to the ever-increasing threats of cybercrime.