A dangerous botnet that aims to steal financial information from important computers such as cashier POS machines has been reported to be spread on dark web forums and markets. This type of malware is particularly dangerous because it comes with a kit and practically anyone with moderate knowledge on how to operate malware can simply download it and begin infecting computers. Not only this but the bot is also able to spread quite quickly and has many other functions, like DDoS (Denial of Service) for example.
|Short Description||Aims to steal passwords, personal and financial information. Attacks POS machines as well.|
|Symptoms||Cannot open the Windows Registry Editor and Windows Task Manager.|
|Detection Tool|| See If Your System Has Been Affected by DiamondFox |
Malware Removal Tool
|User Experience||Join our forum to Discuss DiamondFox Ransomware.|
DiamondFox Botnet Malware – How Does It Infect
Malware researchers at Cylance blog have reported that this extremely dangerous malware uses several different methods to spread. It may infect your computer via a USB thumb drive or even via Dropbox, and this may happen unknowingly. To best illustrate how a USB infection can occur, imagine that someone inserts a USB flash drive into an infected computer, and the malware replicates itself on the drive, very similar to how a worm acts – directly without any permission. Besides this, the DiamondFox botnet malware can also spread via e-mails if the ones who are using it decide to spread massive spam message to a pre-programmed list via an advanced spam bot.
What Is DiamondFox BotNet Capable Of?n
As soon as this virus attacks a computer, it can perform a wide range of malicious deeds to it, from the most basic ones to very complicated ones.
One very simple “feature” of the DiamondFox botnet is to collect information from the keystrokes of the user PC and saves a log in a .txt file or another type of file. An example of a keylogging may be the following interface:
Such information, if properly understood by cyber-criminals can result in the theft of your e-mail account and other accounts you may enter your credentials in.
Furthermore, just like any other malware out there, DiamondFox may prevent the user from entering his Task Manager or the Windows Registry Editor. This is a defensive measure and prevents you from deleting DiamondFox from your computer.
Another feature of this virus is that it is pre-programmed to automatically detect Virtual OSs. As soon as it detects that It has run on a virtual machine, the virus immediately shuts down, making it significantly more difficult to research it.
In addition to this detection, the DiamondFox botnet is also configured to detect detonation services, debuggers and even someone who tries to reverse-engineer it.
The DiamonFox virus also can function as a plugin and even take screenshots of the computer, similar to most Trojan Horse infections out there.
Not only this, but DiamonFox is also capable of remotely self-deleting as well.
Unlike a typical trojan horse, that is controlled via software installed on the computer, the DiamonFox botnet malware is controlled via a C&C(Command and Control) online panel that has a custom account for the hacker to access.
In this account, you can find other numerous features of the DiamondFox botnet, such as:
- Activating and deactivating active connection to infected computers.
- DDoS capability via flooding the machine on UDP or HTTP.
- Activating and deactivating POS terminals.
- Spam sender to the infected machine.
- A homepage changing features for Mozilla Firefox.
- An information stealer for BitCoin wallets.
- A spam bot that spreads messages from infected computer’s Twitter and Facebook accounts to further infect people with the DiamondFox or other malware.
- Password stealer that grabs saved passwords(Grabber).
- FTB, RDP and e-mail grabber.
- “Updating from a distance” feature.
The virus can be detected, by using Wireshark, however. This can happen if you analyze the HTTP traffic that is going to the command and control server since it uses HTTP POST traffic to communicate with it. The bad news of that is that the traffic is XOR encrypted with a key that only the C&C server can read and detect.
DiamondFox Botnet – Conclusion, Removal, and Protection
DiamondFox is a threat that has a lot of functions and acts as if it is a remote-access-trojan. In case you cannot access you Task Manager or Registry Editor, we strongly advise scanning your computer in safe mode with an advanced anti-malware program because it will protect you in the future and detect other malware that may have been installed as well. You can also follow the removal instructions below in case you are a tech savvy user and know where the files and registry entries of DiamondFox are located.