As a security researcher, a confirmed White Hat, it was fascinating to receive a request the other day from a company in Thailand called darknetshop. The proprietor, Waipot Sompa, inquired about the ability to acquire a copy of Pony Loader, and wanted to know if we would also provide install support.
While Damballa is very responsive to client and prospect requests for help, this was one we would not be providing. It appears that Mr. Sompa confused our recent research regarding Pony Loader as a sales pitch to the cyber criminal underground. For the record, “We are not cyber brokers.”
Figure 1. Sad pony for Sompa
Damballa does NOT sell exploits or provide support services to wannabe cybercriminals. On the contrary, our job is to help enterprises battle against cyber criminals who have gained access to their networks. So when Waipot Sompa from darknetshop hit us up with the request for contact, and asked “IF I BUY PONY LOADER, YOU SUPPORT TO INSTALL OR NOT?”, we did what any good security researcher would do – hunt him down!
What is Darknetshop?
Darknetshop is an online blog, where Sompa tries to sell a variety of goods, such as Windows mobile phones, Apple iPhones and laptops.
Figure 2. darknetshop online shop
Domain registrations show that Sompa has been active since at least 2008, and has accounts on multiple carding, bitcoin and freelance forums such as crimenetwork[.]biz, hackingforum[.]ru, hackerone[.]com and bitcoin-forums[.]net
This may be why he is interested in PonyLoader, given it is an information stealer and can be used as a bitcoin miner. We subsequently found a post from him on a community forum website, where he asked about cardershop[.]su:
Figure 3. Sompa asking for help about cardershop[.]ru
Sompa is also running an online shop or some kind of ecommerce website that doesn’t appear to be legitimate. He advertises scams that allow you to make “easy” money in five minutes.
Figure 4. Sompa advertising the “easy” money scam
Waipot Sompa has a long history of scams. That said, based on his online activities, he does not appear to be someone with the technical knowledge to use and install crimeware (hence his request to our team at Damballa). Easy-money scams are one thing – leveraging crimeware is another. But his interest is a good indication of how brazen cyber-criminals are becoming. While dear Waipot would likely be better served by going into a more noble profession, we expect he will continue to search for resources until he finds someone willing to support him in his PonyLoader pursuits.
Loucif Kharouni is a Senior Threat Researcher at Damballa