Cisco Blogs
Share

When a Pony Walks Out Of A Pub

- February 6, 2017 - 1 Comment

This blog was authored by Warren Mercer and Paul Rascagneres.

Talos has observed a small email campaign leveraging the use of Microsoft Publisher files. These .pub files are normally used for the publishing of documents such as newsletters, allowing users to create such documents using familiar office functions such as mail merging. Unlike other applications within the Microsoft Office suite, Microsoft Publisher does not support a ‘Protected View‘ mode. This is a read only mode which can help end users remain protected from malicious document files. Microsoft Publisher is included and installed by default in Office 365.

The file used in this campaign was aimed at infecting the victim with the, well known, Pony malware. Whilst Pony is well documented in technical capability it has not been known to use the .pub file format until now. Pony is a credential harvesting piece of malware with other trojan capabilities. In addition to credential harvesting, it is also commonly deployed as a malware loader and used to infect systems with additional malware in multi-stage infection chains. Pony is still used heavily as the sources of multiple Pony versions leaked thus making it much easier for other malicious actors to implement Pony into their infection chain.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

1 Comments

  1. A very detailed breakdown of a nasty piece of malware. I was surprised at the level of detail needed for malware like Pony to work

Share