DiamondFox Botnet analysis

Discussion in 'Malware Analysis Archive' started by LabZero, Oct 25, 2015.

  1. LabZero

    LabZero Guest

    #1 LabZero, Oct 25, 2015
    Last edited by a moderator: Oct 25, 2015
    Recently it was discovered a new botnet: It's name is DiamondFox, also known as Gorynch, is a botnet with various features.
    The technical analysis is explained here: A Study in Bots: DiamondFox but it is very difficult to understand for an average user, so I tried to simplify it, so that everyone can understand the complexity of this botnet and its dangers.

    Botnet control panel.

    Cattura.PNG
    Cattura1.PNG

    Cattura2.PNG

    Malware is written in VB6, It has many functions inside, one of the most interesting is the scraper of cards, a form of bots that search the infected computer's RAM, generally a Point of Sale System (POS), the credit card data (number and CVV).

    DiamondFox has quite a few features, some of which are listed here:

    • VM detection
    • Detonation service detection
    • Debugger detection
    • Researcher detection
    • Configurable install locations
    • Configurable persistence locations
    • Self-deletion
    • Keystroke logging
    • RAM scraping (credit card scraping)
    • Password theft
    • Spreading USB
    • Dropbox spreading
    • Disable TaskMgr/Regedit
    • Plugin-based functionality
    • Desktop screenshots
    • DDoS
    • Download&Execute: note that it is possible to execute directly in memory, without writing the downloaded file on disk and therefore reducing the risk of being detected by antivirus products.
    • The stealing of the bitcoin wallet with the possibility to change the addresses with the bitcoin wallet of botmaster.
    • The ability to transmit spam or malware through Facebook account &Twitter.
    • Redirect websites, made by editing the Windows host file.
    • Theft of credentials such as passwords, RDP, FTP, Instant Messaging and Mail stored on your system.
    • The spreading of the bot via USB

    Cattura3.PNG

    The malware infects these paths:


    Code:
    APPDATA –% APPDATA%
    TEMP –% TEMP%
    PROGRAMFILES –% PROGRAMFILES%
    –% WINDIR% WINDIR
    
    And the following options:

    • HKCU (registry)
    • Winlogon
    • Startup Folder

    For HKCU registry, the following key is generated:

    Code:
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ & BOTNAME
    For the Winlogon, the path to the application DiamondFox is added to the following locations:

    Code:
    HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\currentversion\winlogon\Userinit
    HKEY_LOCAL_MACHINE64\software\microsoft\windows\currentversion\winlogon\Userinit
    With the "Startup" Folder, DiamondFox is simply copied to the user's startup, renamed WordPad.exe.

    Cattura6.PNG

    There are also anti-reversing features, to make it more difficult to reverse work by researchers, including control over the infected machine name to prevent the bot from being run in a controlled environment.

    Bot's settings can be saved or in the final part of the executable (EOF) of the bot and the configuration is "encrypted" using hard-coded key.

    The feature that most of all I found interesting and innovative is that it can generate a "Lite" bot version which contains limited functionality: Download&Execute, to explore a web page and the "Uninstall" of BOT. The Lite version is generated by the builder as a .vbs file.

    The .vbs has attractive features, with minor modifications can be blurred to be made completely FUD (Fully Undetectable), and then bypass the antivirus, can also be used in macros of the Office suite.

    Call Home

    DiamondFox is a HTTP Botnets and during the process of communicating with the C&C server User-Agent value is used as a "filter", without the correct value, the request is not processed by the server.

    The data sent in a POST request are "encrypted" in the sources of the bot.
    Regarding the upload of files stolen from the victim, files are processed by "post.php", and placed in the directory "logs/". The developer of the botnet forgot a small and insignificant detail: check for multiple extensions. This feature was partially fixed in the last updated of the C&C Panel of the botnet and It could load and execute files on the command and control server. (Gorynych/DiamondFox v4.2.0.257- File Upload Vulnerability · GitHub)

    Save files from the web server by following this draft:

    Code:
    logs/wallet
    logs/scr
    logs/rdp
    logs/ftp
    logs/mail
    logs/pass
    logs/kyl
    logs/dumps
    This botnet can be used to APT attacks and to amplify the tendency of "as a service" malware.

    Thanks and sorry for mistakes :)
     
  2. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,615
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Metal Gear Solid :D

    Cool botnet, i should one day toy with some ^^
     
    Sr. Normal, harlan4096 and LabZero like this.
Loading...
Similar Threads Forum Date
The Number of IoT Botnet C&C Servers Doubled in 2017 Security News Wednesday at 12:26 AM
Python-Based Botnet Targets Linux Systems with Exposed SSH Ports Security News Jan 5, 2018
Andromeda Botnet to Die Slow, Painful Death After Takedown Security News Jan 4, 2018