Back in 2015 we first became aware of a new bot system called DiamondFox. Because it was involved with a project called Gorynych (Dragon) the two have become terms/names used interchangeably.
In April of 2015 the actor released DiamondFox as a new incarnation of Gorynych. For our purposes we will stick to DiamondFox and concentrate on the bot’s provenance from April of 2015 (release 05.04.15.)
The author of the bot describes it as an “…HTTP Plugin-Based loader made for stability and functionality, for maintain a stable connection with a considerable amount of bots.” Within the past month the actor has released a new version called the “Crystal Version”. In this week’s blog we’ll look at some of the history behind the malware, what it does, a bit about how it does it and a deeper look at how it is managed. News week we’ll dig a bit deeper. The actor’s blog announcing the new release is in Figure 1.
Figure 1 – Announcement of New Version of DiamondFox
Before we get into the bot, here’s a bit about the actor. Historically, he has been writing malware for some time and, presumably, is the writer of Gorynych and DiamondFox. He is Mexican, his handle on line is EduArdO__xD but he also goes by Edbitss, EBitss, RiumkaVodki and Эдуардо. He seems fluent in Russian and he has been actively in the underground since at least 2011. He claims to be located in Russia but it appears that he actually lives in Mexico. All of this information – and much more – is easily searchable on the Web and the Dark Web. However, like all such information I tend to view this with a bit of skepticism. His Taringa page (sort of like a Mexican Facebook) is in Figure 2:
Figure 2 – EduArdO__xD’s Taringa Page
The Crystal Version is slick and professional. It comes complete with an administrator’s guide. All of this information is broadly in the wild so it’s pretty easy to come by. Much of it has been leaked extensively. The actor claims that he paid close attention to analysts who reported on early versions of the bot and made corrections where necessary based upon their comments. In that regard, he shows himself to be a competent businessman as well as a programmer. In addition, he has built in safeguards so just because the bot is leaked does not mean that it can be hijacked easily. Even though he has rules, violation of which will cost you your license, it is clear that enterprising hackers have ignored them.
We won’t go into the earlier version of DiamondFox. Brian Wallace at Cylance – one of our Lab Approved products – has done a great job of that in his blog entry, “A Study in Bots: DiamondFox” at https://blog.cylance.com/a-study-in-bots-diamondfox. Because a lot of the architecture of the Crystal Version is similar, this will get a good start for you on how DiamondFox works. There are, however, some real differences and we’ll get inside the bot next week.
When we ran our sample of the bot with its anti-reversing features disabled, Malwarebytes pegged it as backdoor.bot and recognized it as malware. It recognized it with its anti-reversing enabled as well. 43 of 56 AV programs on VirusTotal recognized the disabled version and 33 recognized the enabled version. Our conclusion is that, although there was pretty much no agreement on exactly what it is, it’s for certain that it’s not FUD (“Fully UnDetectable”). Keep your anti-malware current and this one won’t likely get past you.
We became, during our research, of a malicious URL used by our actor – lalonoip.no-ip.biz – and that resolved to 18.104.22.168, an IP hosing 272 malicious domains over the week. This is a well-known malicious IP and its collection of domains look pretty much as if they were built with a DGA. We noted that some top-level domains were consistent, though with the DGA building the subdomains:
In addition to the malicious domains, this IP also hosts several types of malware. Here are some hashes for your IOC collection:
Now let’s look at how this is being used. This is a malware that installs a control panel/C&C and builds bots to your specification. The bots have a lot of functionality available, depending upon how they are configured. For example, the earlier version was used in the Operation Black Atlas point of sale campaign to download BlackPOS. The bot has the following plugins, substantially increased from earlier versions:
- Browser password stealer
- FTP password stealer
- E-mail grabber
- RDP/VNC grabber
- RAM scraper
- Instant messenger grabber
- DNS redirects
- Crypto wallet stealer
- Browser homepage changer
- Social network spread
- Ammy RDP
Of course, there are lots of individual products that fit into each of these categories so it is pretty certain that the bot has rather universal functionality as regards its plugins.
The cPanel uses MySQL as a backend and it a PHP application. You install to the URL of your C2. Once this part of the install is done you move to the Builder. Here you have a domain generator and you can set its parameters. Security adds encryption and now you’re ready to set up the install parameters for the bot. You can then set up extras such as Anti-VirtualBox (to detect possible sandbox VMs) as well as such other anti-analysis functions as Anti-OllyDBG, a tool popular with reversing engineers.
You can set your C2 as static (give it a URL for the bot to phone home) or dynamic (use a domain generation algorithm) . Now you’re ready to build bots… it’s really that simple. See Figure 3 for the C2 panel.
Figure 3 – Crystal Version Panel
In addition to the builder, there is a nice dashboard that monitors bot net activity and allows some control over the bots. Figure 4 shows the dashboard.
Figure 4 – Dashboard
Overall we were moderately impressed by DiamodFox Cystal Version’s flash but we found the bang a little weak. Hasherezade will join us next week for a deeper dive into the bot’s internals.
I want to end this blog with a “Call for Chapters”. I am editing a handbook of information security management. It is based upon the NICE platform (National Initiative for Cybersecurity Education) and I am looking for chapter authors. This is for a major publisher so there is a lot of opportunity for glory if not riches. Contact me if you would like to contribute a chapter (or more).
That said, and in anticipation of details on DiamondFox’s internals here are your stats for the week….
Figure 5 – Top 10 Command and Control IPs Hitting the Packetsled Sensor on our Honeynet
Figure 6 – Top 10 IPs Hitting the Packetsled Sensor on our Honeynet
Figure 7 – This Week’s New Malicious Domains from MDL
Figure 8 – Top Attack Types as Seen by our Niksun NetDetector against our Honeynet