Tags: malware, Pony loader
We received a fascinating request the other day from a company called darknetshop located in Thailand. The proprietor, Waipot Sompa, expressed an interest in acquiring a copy of Pony Loader as well as install support.
While Damballa is very responsive to requests for help, these aren’t the type we fulfill. Apparently, Mr. Sompa confused our recent research regarding Pony Loader as a sales pitch to the cyber criminal underground. Let me state for the record, “We are not cyber brokers.”
Figure 1. Sad pony for Sompa
Please take note, Damballa does NOT sell exploits nor do we provide support or install, au contraire: We help enterprises in the battle against cyber criminals who have compromised their network.
Here is a copy of the request lead we received:
Figure 2. Request lead copy
From the information we received from Sompa, we’ve been able to track him down.
Darknetshop is an online blog, where Sompa tries to sell a variety of goods, such as Windows mobile phones, Apple iPhone and laptops.
Figure 3. darknetshop online shop
We further investigated Sompa to create a profile on who he is and what he’s up to. We know based on the information readily available, domain registrations show that Sompa has been active since at least 2008.
He has accounts on multiple carding, bitcoin and freelance forums such as:
This could explain his interest in Pony since it’s an information stealer and can be used as a bitcoin miner. On a community forum website, he asked about cardershop[.]su:
Figure 4. Sompa asking for help about cardershop[.]ru
Sompa is also running an online shop or some kind of ecommerce website that doesn’t appear to be legitimate. He also advertises how you can make “easy” money in five minutes using some type of scam.
Figure 5. Sompa advertising the “easy” money scam
Figure 6. Sompa advertising another “easy” money scam
Figure 7. Sompa’s website to make “easy” money
Figure 8. Sompa advertisement to get $20 over and over
Waipot Sompa has a long history of scams but doesn’t strike us as someone who has the technical knowledge to use and install crimeware. This likely lead to his inquiry for help installing Pony. He seems persistent to make money selling goods that may or may not exist and from easy-money scams.
Running a criminal startup is not easy and requires minimum skills that Sompa likely doesn’t possess. Our advice: find a legitimate business endeavor!
Domains he owns/owned
220.127.116.11 back in 2009
Sr Threat Researcher