DiamondFox Botnet Steals Financial Information - How to, Technology and PC Security Forum | SensorsTechForum.com

DiamondFox Botnet Steals Financial Information

botnet-operations-stforumA dangerous botnet that aims to steal financial information from important computers such as cashier POS machines has been reported to be spread on dark web forums and markets. This type of malware is particularly dangerous because it comes with a kit and practically anyone with moderate knowledge on how to operate malware can simply download it and begin infecting computers. Not only this but the bot is also able to spread quite quickly and has many other functions, like DDoS (Denial of Service) for example.

Threat Summary



Short DescriptionAims to steal passwords, personal and financial information. Attacks POS machines as well.
SymptomsCannot open the Windows Registry Editor and Windows Task Manager.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or from a USB Drive or Dropbox that have been infected from a compromised computer that has DiamondFox on it.
Detection Tool See If Your System Has Been Affected by DiamondFox


Malware Removal Tool

User ExperienceJoin our forum to Discuss DiamondFox Ransomware.

DiamondFox Botnet Malware – How Does It Infect

Malware researchers at Cylance blog have reported that this extremely dangerous malware uses several different methods to spread. It may infect your computer via a USB thumb drive or even via Dropbox, and this may happen unknowingly. To best illustrate how a USB infection can occur, imagine that someone inserts a USB flash drive into an infected computer, and the malware replicates itself on the drive, very similar to how a worm acts – directly without any permission. Besides this, the DiamondFox botnet malware can also spread via e-mails if the ones who are using it decide to spread massive spam message to a pre-programmed list via an advanced spam bot.

What Is DiamondFox BotNet Capable Of?n

As soon as this virus attacks a computer, it can perform a wide range of malicious deeds to it, from the most basic ones to very complicated ones.

One very simple “feature” of the DiamondFox botnet is to collect information from the keystrokes of the user PC and saves a log in a .txt file or another type of file. An example of a keylogging may be the following interface:

log/pass file

Such information, if properly understood by cyber-criminals can result in the theft of your e-mail account and other accounts you may enter your credentials in.

Furthermore, just like any other malware out there, DiamondFox may prevent the user from entering his Task Manager or the Windows Registry Editor. This is a defensive measure and prevents you from deleting DiamondFox from your computer.

Another feature of this virus is that it is pre-programmed to automatically detect Virtual OSs. As soon as it detects that It has run on a virtual machine, the virus immediately shuts down, making it significantly more difficult to research it.

In addition to this detection, the DiamondFox botnet is also configured to detect detonation services, debuggers and even someone who tries to reverse-engineer it.

The DiamonFox virus also can function as a plugin and even take screenshots of the computer, similar to most Trojan Horse infections out there.

Not only this, but DiamonFox is also capable of remotely self-deleting as well.

Unlike a typical trojan horse, that is controlled via software installed on the computer, the DiamonFox botnet malware is controlled via a C&C(Command and Control) online panel that has a custom account for the hacker to access.


In this account, you can find other numerous features of the DiamondFox botnet, such as:

  • Activating and deactivating active connection to infected computers.
  • DDoS capability via flooding the machine on UDP or HTTP.
  • Activating and deactivating POS terminals.
  • Spam sender to the infected machine.
  • A homepage changing features for Mozilla Firefox.
  • An information stealer for BitCoin wallets.
  • A spam bot that spreads messages from infected computer’s Twitter and Facebook accounts to further infect people with the DiamondFox or other malware.
  • Password stealer that grabs saved passwords(Grabber).
  • FTB, RDP and e-mail grabber.
  • “Updating from a distance” feature.

The virus can be detected, by using Wireshark, however. This can happen if you analyze the HTTP traffic that is going to the command and control server since it uses HTTP POST traffic to communicate with it. The bad news of that is that the traffic is XOR encrypted with a key that only the C&C server can read and detect.

DiamondFox Botnet – Conclusion, Removal, and Protection

DiamondFox is a threat that has a lot of functions and acts as if it is a remote-access-trojan. In case you cannot access you Task Manager or Registry Editor, we strongly advise scanning your computer in safe mode with an advanced anti-malware program because it will protect you in the future and detect other malware that may have been installed as well. You can also follow the removal instructions below in case you are a tech savvy user and know where the files and registry entries of DiamondFox are located.

Manually delete DiamondFox from your computer

Note! Substantial notification about the DiamondFox threat: Manual removal of DiamondFox requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove DiamondFox files and objects.
2. Find malicious files created by DiamondFox on your PC.
3. Fix registry entries created by DiamondFox on your PC.

Automatically remove DiamondFox by downloading an advanced anti-malware program

1. Remove DiamondFox with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by DiamondFox in the future
Optional: Using Alternative Anti-Malware Tools

How to Find Decryption Key for Files Encrypted By DiamondFox Ransomware

We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.