Cybercriminals stay under the radar for extended periods of time to execute malware such as banking Trojans, forcing organizations to reassess their security tools, according to a report from Damballa.
In its "State of Infections Report," the Atlanta-based network security monitoring firm highlighted how criminals spread malware called Pony Loader, which has been around for years. It has remained undetected thanks to a structured routine that includes consistently creating new domains and establishing new infrastructure, thus ensuring it won't be detected by most security products.
In addition to moving infrastructure, the criminals behind Pony Loader also change the malware itself. In May 2015, the Pony configuration unleashed Dyre, a banking Trojan. In September, it downloaded Vawtrak, another banking Trojan. And on Dec. 2, Nymaim, a form of ransomware, replaced Vawtrak before switching back to its original Vawtrak form on Dec. 14.
The findings of Damballa's eight-month study revealed only a few IP addresses per provider can help reduce the chances of catching the Pony malware. Since Damballa began tracking Pony, criminals have used 281 domains and more than 120 IPs spread across 100 different ISPs.
"If a domain only stays online for a few days or hours, criminal communications can go undiscovered for long periods of time," the report stated. "Security teams should look for active communications originating from inside the network and block outbound attempts."
Damballa observed fluctuating activity based on the number of IPs in use throughout a specific time period. During vacation times – summer and the holiday season – the ratio of domains to IPs increased, indicating that the crew had fewer resources available to move the infrastructure during those times.
Using the Destover Trojan as an example, the study also explained how advanced attackers conceal their tracks to throw investigators off the trail. Destover deletes files off an infected device, rendering it useless. Attackers can stay undetected inside a network, expand their presence and exfiltrate terabytes of sensitive information. Destover is associated with high-profile breaches, including those that targeted Sony Pictures Entertainment and Saudi Aramco.
While researching a new sample of Destover, Damballa's Threat Discovery Center discovered two utilities closely related to Destover: setMFT and afset. Both evade detection while moving laterally through a network to broaden the attack surface. Adversaries can clean and redirect log files and blend them with legitimate system files, and as a result, many of the tools and methods security teams use to identify the presence of attackers fail to detect setMFT and afset. Damballa warned that chances are security personnel will miss them altogether unless they have a continuous monitoring solution that looks for threat-related behavior over time.
"It's no small feat to keep up with how cybercriminals operate," Stephen Newman, chief technology officer for Damballa, said. "Attackers have an incredibly vibrant underground community where they can buy or rent anything from command and control infrastructure to sophisticated exploit kits to bare metal malware. While this report highlights several themes that our Threat Discovery Center has followed over the past several months, there is one common factor here and that is you never know what to expect from threat actors. By shedding light on common techniques, our hope is that enterprises can reassess and improve their existing security controls."
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
