Pony
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Pony has used the Adobe Reader icon for the downloaded file to look more trustworthy.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Pony has used batch scripts to delete itself after execution.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Pony has sent collected information to the C2 via HTTP POST request.[1] |
| Enterprise | T1110 | .001 | 暴力破解: Password Guessing |
Pony has used a small dictionary of common passwords against a collected list of local accounts.[1] |
| Enterprise | T1106 | 本机API |
Pony has used several Windows functions for various purposes.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.[1] |
|
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Pony has attempted to lure targets into clicking links in spoofed emails from legitimate banks.[1] |
| .002 | 用户执行: Malicious File |
Pony has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format).[1] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1082 | 系统信息发现 |
Pony has collected the Service Pack, language, and region information to send to the C2.[1] |
|
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
Pony has delayed execution using a built-in function to avoid detection and analysis.[1] |
| Enterprise | T1087 | .001 | 账号发现: Local Account |
Pony has used the |
| Enterprise | T1105 | 输入工具传输 |
Pony can download additional files onto the infected system.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment | |
| .002 | 钓鱼: Spearphishing Link |
Pony has been delivered via spearphishing emails which contained malicious links.[1] |
||