DiamondFox: advanced service "malware on demand" available for purchase in the Tor network

Analysts Check Point and TerbiumLabs (company operating in the Dark Web Data Intelligence) have discovered a new threat emerging at the last time in cyberspace – service malware (malware-as-a-service) called DiamondFox. Hackers offer is addressed to both business and individual users and allows you to prepare hacked on any object or the network.

DiamondFox is a genus of bonetu offered on Internet forums, where the user receives access to the access codes, which allow to plan eg. Spy activities, data theft, attack on financial institutions by stealing the bank code or an effective DDoS attack.

A major concern of the phenomenon of cyberprzestępczych services is widespread availability of such tools and the lack of the required technical knowledge by the potential users of the service.

An investigation into Check Point and TerbiumLabs has shown that the procedure for selling the use of the new service is becoming more common in the world of cyberspace. DiamondFox is a very easy-to-use malware, which allows you to code an attack on the institution at any time.

Offer cybercriminals trading services on ' 'czarnym market '' includes an option to continuous monitoring of the affected units together with the scale of the attack and statistics!

The greatest threat – according to analysts Check Point-is a number of available plugins to customize the attack to the victim and the possibility of samorozprzestrzeniania malware through mobile devices and social media.

One of the plugins module is responsible for gathering information on the infected computer.

Analysts Check Point and TerbiumLabs believe that the distribution of the service on the Web is Edbitss ([email protected].) – the provider that regularly updates the data offered to customers within the product DiamondFox. According to housing available could information Edbitss can be located in Russia. Certainly speaks fluent Russian, although the registration data show business also in Mexico.

In the Tor network can meet a friend for life.

The authors of the report believe that corporate and private users can protect themselves against the attacks of DiamondFox Malware using the following software: Antivirus Software Blade and Anti-Bot Software Blade- detecting and blocking communication with the virus DiamondFox.

The parsed version of DiamondFox contains 15 plugins to steal:

  • credentials of FileZilla
  • logins and passwords of mail accounts
  • passwords from Web browsers
  • passwords to remote RDP session
  • passwords of the installed Instant Messaging
  • passwords from the VNC software

What's more, the DiamondFox is equipped with a module that gives an attacker the opportunity to:

  • taking screenshots
  • send spam from the infected computer
  • changes to the browser home page
  • DDoS attacks
  • listen for the keyboard
  • credential theft of RAM (we refer readers to our antivirus test modules to protect online banking, in which we have used this type of attack)
  • collection of information about the processes and services
  • Remote Desktop session using Ammyy Admin
  • theft of wallet addresses BTC from the system Clipboard
  • modify the HOSTS file (again refer to our test, in which we reported on the consequences of the modification of the HOSTS by malware)
  • distribution of plug-in is responsible for spying on your PC to USB media

If the malware was run with administrator privileges, it definitely has modified keys in the registry, which are responsible for the user account control settings (called. UAC, User Account Control):

HKLM\Software\Microsoft\Security Center\UACDisableNotify = REG_DWORD: 0

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = REG_DWORD: 0
The UAC settings are located in Control Panel: control panel\all Panel sterowania\Zabezpieczenia and maintenance

You can also verify the location of the C:\Users\nazwa_uzytkownika\AppData\Local\Temp for temporary files and use the best on-demand virus scanner.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.