DiamondFox: advanced service "malware on demand" available for purchase in the Tor network
Analysts Check Point and TerbiumLabs (company operating in the Dark Web Data Intelligence) have discovered a new threat emerging at the last time in cyberspace – service malware (malware-as-a-service) called DiamondFox. Hackers offer is addressed to both business and individual users and allows you to prepare hacked on any object or the network.
DiamondFox is a genus of bonetu offered on Internet forums, where the user receives access to the access codes, which allow to plan eg. Spy activities, data theft, attack on financial institutions by stealing the bank code or an effective DDoS attack.
An investigation into Check Point and TerbiumLabs has shown that the procedure for selling the use of the new service is becoming more common in the world of cyberspace. DiamondFox is a very easy-to-use malware, which allows you to code an attack on the institution at any time.
The greatest threat – according to analysts Check Point-is a number of available plugins to customize the attack to the victim and the possibility of samorozprzestrzeniania malware through mobile devices and social media.
Analysts Check Point and TerbiumLabs believe that the distribution of the service on the Web is Edbitss ([email protected].) – the provider that regularly updates the data offered to customers within the product DiamondFox. According to housing available could information Edbitss can be located in Russia. Certainly speaks fluent Russian, although the registration data show business also in Mexico.
The parsed version of DiamondFox contains 15 plugins to steal:
- credentials of FileZilla
- logins and passwords of mail accounts
- passwords from Web browsers
- passwords to remote RDP session
- passwords of the installed Instant Messaging
- passwords from the VNC software
What's more, the DiamondFox is equipped with a module that gives an attacker the opportunity to:
- taking screenshots
- send spam from the infected computer
- changes to the browser home page
- DDoS attacks
- listen for the keyboard
- credential theft of RAM (we refer readers to our antivirus test modules to protect online banking, in which we have used this type of attack)
- collection of information about the processes and services
- Remote Desktop session using Ammyy Admin
- theft of wallet addresses BTC from the system Clipboard
- modify the HOSTS file (again refer to our test, in which we reported on the consequences of the modification of the HOSTS by malware)
- distribution of plug-in is responsible for spying on your PC to USB media
If the malware was run with administrator privileges, it definitely has modified keys in the registry, which are responsible for the user account control settings (called. UAC, User Account Control):
HKLM\Software\Microsoft\Security Center\UACDisableNotify = REG_DWORD: 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = REG_DWORD: 0
You can also verify the location of the C:\Users\nazwa_uzytkownika\AppData\Local\Temp for temporary files and use the best on-demand virus scanner.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.