Pony credential stealer trampling users via Microsoft Publisher documents

Multiple levels of obfuscation shelters the malware from prying eyes.

David bisson
David Bisson

Pony credential stealer trampling users via Microsoft Publisher documents

The credential-stealing Pony malware is masquerading as Microsoft Publisher documents in an effort to infect unsuspecting users.

The campaign begins when an attack email containing a Microsoft Publisher document saunters over to an unsuspecting user.

MS Publisher malware email

To be clear, this isn’t the first time attackers have married malware-laden spam and Publisher files together. But it’s an uncommon attack vector in comparison to malicious Microsoft Word, Excel and even PowerPoint documents.

Sign up to our free newsletter.
Security news, advice, and tips.

Those individuals behind this campaign don’t seem too worried about that. Otherwise, they would have tried to have concealed the attachment’s file type, such as by hiding it within a compressed .ZIP file. Instead they use some social engineering techniques to bait the user into clicking on the attachment. If they succeed, the user opens the document, which soon after appears to crash.


Of course, that’s what the attackers want a user to believe.

In the background, there’s a 2MB macro that’s up to no good. The file capitalizes on the user’s confusion by writing a “letten.js” file onto disk. This file comes with its own protective measures.

As researchers at Cisco Talos explain in a blog post:

“Initially we find a heavily obfuscated piece of Javascript — remember this is the cool kids’ language of choice now — but we can easily overcome this obfuscation. The obfuscation is divided into 2 layers. The first layer decrypts data in order to perform an eval() on the clear text. Not surprisingly the eval reveals another layer of obfuscated Javascript!”

Below those levels of obfuscation lays code designed to download a binary to the user’s TEMP folder. That binary is Pony, malware which is known for installing Vawtrak and other malware onto infected machines. On its own, the downloader has the ability to steal users’ credentials and send them back to a command and control (C&C) server.

Users can best protect against this attack campaign by not clicking on suspicious links and email attachments.

Also, while the malspam emails reference a “financing requirement,” users should exercise a healthy dose of caution and wonder why anyone would use Microsoft Publisher to send over such an important document.

I’m sure it happens somewhere, but most legitimate companies would opt for Word or PDF files instead.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.