DiamondFox Botnet analysis

Discussion in 'Malware Analysis Archive' started by LabZero, Oct 25, 2015.

  1. LabZero

    LabZero Guest

    #1 LabZero, Oct 25, 2015
    Last edited by a moderator: Oct 25, 2015
    Recently it was discovered a new botnet: It's name is DiamondFox, also known as Gorynch, is a botnet with various features.
    The technical analysis is explained here: A Study in Bots: DiamondFox but it is very difficult to understand for an average user, so I tried to simplify it, so that everyone can understand the complexity of this botnet and its dangers.

    Botnet control panel.



    Malware is written in VB6, It has many functions inside, one of the most interesting is the scraper of cards, a form of bots that search the infected computer's RAM, generally a Point of Sale System (POS), the credit card data (number and CVV).

    DiamondFox has quite a few features, some of which are listed here:

    • VM detection
    • Detonation service detection
    • Debugger detection
    • Researcher detection
    • Configurable install locations
    • Configurable persistence locations
    • Self-deletion
    • Keystroke logging
    • RAM scraping (credit card scraping)
    • Password theft
    • Spreading USB
    • Dropbox spreading
    • Disable TaskMgr/Regedit
    • Plugin-based functionality
    • Desktop screenshots
    • DDoS
    • Download&Execute: note that it is possible to execute directly in memory, without writing the downloaded file on disk and therefore reducing the risk of being detected by antivirus products.
    • The stealing of the bitcoin wallet with the possibility to change the addresses with the bitcoin wallet of botmaster.
    • The ability to transmit spam or malware through Facebook account &Twitter.
    • Redirect websites, made by editing the Windows host file.
    • Theft of credentials such as passwords, RDP, FTP, Instant Messaging and Mail stored on your system.
    • The spreading of the bot via USB


    The malware infects these paths:

    TEMP –% TEMP%
    And the following options:

    • HKCU (registry)
    • Winlogon
    • Startup Folder

    For HKCU registry, the following key is generated:

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ & BOTNAME
    For the Winlogon, the path to the application DiamondFox is added to the following locations:

    HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\currentversion\winlogon\Userinit
    With the "Startup" Folder, DiamondFox is simply copied to the user's startup, renamed WordPad.exe.


    There are also anti-reversing features, to make it more difficult to reverse work by researchers, including control over the infected machine name to prevent the bot from being run in a controlled environment.

    Bot's settings can be saved or in the final part of the executable (EOF) of the bot and the configuration is "encrypted" using hard-coded key.

    The feature that most of all I found interesting and innovative is that it can generate a "Lite" bot version which contains limited functionality: Download&Execute, to explore a web page and the "Uninstall" of BOT. The Lite version is generated by the builder as a .vbs file.

    The .vbs has attractive features, with minor modifications can be blurred to be made completely FUD (Fully Undetectable), and then bypass the antivirus, can also be used in macros of the Office suite.

    Call Home

    DiamondFox is a HTTP Botnets and during the process of communicating with the C&C server User-Agent value is used as a "filter", without the correct value, the request is not processed by the server.

    The data sent in a POST request are "encrypted" in the sources of the bot.
    Regarding the upload of files stolen from the victim, files are processed by "post.php", and placed in the directory "logs/". The developer of the botnet forgot a small and insignificant detail: check for multiple extensions. This feature was partially fixed in the last updated of the C&C Panel of the botnet and It could load and execute files on the command and control server. (Gorynych/DiamondFox v4.2.0.257- File Upload Vulnerability · GitHub)

    Save files from the web server by following this draft:

    This botnet can be used to APT attacks and to amplify the tendency of "as a service" malware.

    Thanks and sorry for mistakes :)
  2. Umbra

    Umbra Level 61
    Content Creator

    May 16, 2011
    Beta tester
    Europe > S-E Asia
    Windows 10
    Metal Gear Solid :D

    Cool botnet, i should one day toy with some ^^
    Sr. Normal, harlan4096 and LabZero like this.
  • About Us

    Our community has been around since 2010, and we pride ourselves on offering unbiased, critical discussion among people of all different backgrounds about security and technology . We are working every day to make sure our community is one of the best.
  • Need Malware Removal Help?

    If you're being redirected from a site you’re trying to visit, seeing constant pop-up ads, unwanted toolbars or strange search results, your computer may be infected with malware. We offer free malware removal assistance to our members in the Malware Removal Assistance forum.
  • Quick Tip

    Without meaning to, you may click a link that installs malware on your computer. To keep your computer safe, only click links and downloads from sites that you trust. Don’t open any unknown file types, or download programs from pop-ups that appear in your browser.