VERY IMPORTANT

From the beginning of 2015, a malicious spear-phishing campaign dubbed Pony, has been actively luring victims. The spam e-mails are enticing users by impersonating well known companies, using their logos and known subject lines to further sell the deception. These e-mails kick off a multi-stage infection chain. The first stage would be a malicious link within the e-mail or attachment, containing malicious code, in this case Pony. Pony will infect the victim computer and download an additional malware. Pony was originally configured to download different malware families, however, due to criminal strategy changes, it currently only downloads Dyre. Every Pony domain appears to belong to the same group, the infrastructure is mainly in Russia and Ukraine. Most of the IP addresses belong to known bulletproof hosting networks that advertise their services on different forums. The criminals are also relying on a network of hacked servers to perform the multi-stage infection chain.