DiamondFox Botnet Steals Financial Information - How to, Technology and PC Security Forum | SensorsTechForum.com

DiamondFox Botnet Steals Financial Information

botnet-operations-stforumA dangerous botnet that aims to steal financial information from important computers such as cashier POS machines has been reported to be spread on dark web forums and markets. This type of malware is particularly dangerous because it comes with a kit and practically anyone with moderate knowledge on how to operate malware can simply download it and begin infecting computers. Not only this but the bot is also able to spread quite quickly and has many other functions, like DDoS (Denial of Service) for example.

Threat Summary



Short DescriptionAims to steal passwords, personal and financial information. Attacks POS machines as well.
SymptomsCannot open the Windows Registry Editor and Windows Task Manager.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or from a USB Drive or Dropbox that have been infected from a compromised computer that has DiamondFox on it.
Detection Tool See If Your System Has Been Affected by DiamondFox


Malware Removal Tool

User ExperienceJoin our forum to Discuss DiamondFox Ransomware.

DiamondFox Botnet Malware – How Does It Infect

Malware researchers at Cylance blog have reported that this extremely dangerous malware uses several different methods to spread. It may infect your computer via a USB thumb drive or even via Dropbox, and this may happen unknowingly. To best illustrate how a USB infection can occur, imagine that someone inserts a USB flash drive into an infected computer, and the malware replicates itself on the drive, very similar to how a worm acts – directly without any permission. Besides this, the DiamondFox botnet malware can also spread via e-mails if the ones who are using it decide to spread massive spam message to a pre-programmed list via an advanced spam bot.

What Is DiamondFox BotNet Capable Of?n

As soon as this virus attacks a computer, it can perform a wide range of malicious deeds to it, from the most basic ones to very complicated ones.

One very simple “feature” of the DiamondFox botnet is to collect information from the keystrokes of the user PC and saves a log in a .txt file or another type of file. An example of a keylogging may be the following interface:

log/pass file

Such information, if properly understood by cyber-criminals can result in the theft of your e-mail account and other accounts you may enter your credentials in.

Furthermore, just like any other malware out there, DiamondFox may prevent the user from entering his Task Manager or the Windows Registry Editor. This is a defensive measure and prevents you from deleting DiamondFox from your computer.

Another feature of this virus is that it is pre-programmed to automatically detect Virtual OSs. As soon as it detects that It has run on a virtual machine, the virus immediately shuts down, making it significantly more difficult to research it.

In addition to this detection, the DiamondFox botnet is also configured to detect detonation services, debuggers and even someone who tries to reverse-engineer it.

The DiamonFox virus also can function as a plugin and even take screenshots of the computer, similar to most Trojan Horse infections out there.

Not only this, but DiamonFox is also capable of remotely self-deleting as well.

Unlike a typical trojan horse, that is controlled via software installed on the computer, the DiamonFox botnet malware is controlled via a C&C(Command and Control) online panel that has a custom account for the hacker to access.


In this account, you can find other numerous features of the DiamondFox botnet, such as:

  • Activating and deactivating active connection to infected computers.
  • DDoS capability via flooding the machine on UDP or HTTP.
  • Activating and deactivating POS terminals.
  • Spam sender to the infected machine.
  • A homepage changing features for Mozilla Firefox.
  • An information stealer for BitCoin wallets.
  • A spam bot that spreads messages from infected computer’s Twitter and Facebook accounts to further infect people with the DiamondFox or other malware.
  • Password stealer that grabs saved passwords(Grabber).
  • FTB, RDP and e-mail grabber.
  • “Updating from a distance” feature.

The virus can be detected, by using Wireshark, however. This can happen if you analyze the HTTP traffic that is going to the command and control server since it uses HTTP POST traffic to communicate with it. The bad news of that is that the traffic is XOR encrypted with a key that only the C&C server can read and detect.

DiamondFox Botnet – Conclusion, Removal, and Protection

DiamondFox is a threat that has a lot of functions and acts as if it is a remote-access-trojan. In case you cannot access you Task Manager or Registry Editor, we strongly advise scanning your computer in safe mode with an advanced anti-malware program because it will protect you in the future and detect other malware that may have been installed as well. You can also follow the removal instructions below in case you are a tech savvy user and know where the files and registry entries of DiamondFox are located.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share