Peter Stephenson
Peter Stephenson

Last time we looked at the overview of the latest release – Crystal Version – and we got a good look at what the bot is supposed to be doing.  We also got a top-level look at the architecture. Then, as promised, I turned it over to our reversing guru, Hasherezade for a closer look at DF's internals. After digging a bit through the code – which was very easy to reverse as you will see – her conclusion is that the code leaves something to be desired. It is written in Visual Basic. It de-compiled using VB Decompiler (https://www.vb-decompiler.org). 

We had two samples – one with anti-reversing turned on and one with it turned off. The one with anti-reversing disabled showed a compile timestamp of 2016-06-02 19:59:10. It had an MD5 has of 8f77d92060389f5733905710714556ce. This is the sample with which we worked.

After being run, the sample install itself in StartMenu/Programs/Startup under the name explorer.exe (see Figure 1). We also have observed it installing in other directories.

Figure 1 - Sample Installed as explorer.exe

It drops another copy in a hidden folder and adds both paths to autorun in the Registry – see Figures 2 and 3.

Figure 2 - Copy of Malware in Hidden Folder

Figure 3 - Autorun


After installation, it runs the dropped copy and queries the command and control server.  (gate.php on the C&C. The C&C of the analyzed sample was not active.) However, when we executed the sample in our sacrificial virtual machine it went to several IP addresses including:

  • 239.255.255.250  --  Malware reported by dnsbl.ahbl.org, tor.ahbl.org, virustotal.com, urlquery.net
  • 23.194.88.172  --  No malware reported]
  • 224.0.0.251  --  No malware reported
  • 216.58.216.78  --  Malware reported by hybrid-analysis.com, avgthreatlabs.com, CiscoInvestigate
  • 216.58.192.170  --  Malware reported by Cisco Investigate
  • 216.58.192.174  --  Malware reported by Cisco Investigate
  • 216.58.192.142  --  Malware reported by Cisco Investigate – UDP to port 443 on destination

We did not obtain any direct evidence that any of these IPs were C&C servers for DiamondFox. None of these addresses appear yet in the AlienVault OTX which leads us to believe that this is not in the wild to any great extent yet.  Also, many of the malwares showing up in Investigate are quite old and may not be associated with DF at all.

Similarly to other editions, also this sample of Diamond Fox was packed – but while in the past the author often used VM Protect, this time the packer is different. The Crystal version, like previous versions of DF is written in Visual Basic. However, in contrast to some of the previous editions, almost all the code is in one module.

This version of DF added several new features which Hasherezade checked out for us.  Among others there are new keys for achieving persistence as well as a domain generation algorithm (DGA). There is an improved crypto wallet stealer that steals several kinds of coins. See Figure 4.

Figure 4 - Sample of Crypto Currency Stealer Code


The Crystal Version is widely available on the Web and you don't need to go to the Dark Web either.  For example, Figure 5 shows an ad on https://www.rekings.com, a marketplace for malware and exploits.

Figure 5 - Web Ad for DF Crystal


Additionally, we found a very few active C&C servers by spot-checking a list of IoCs at https://github.com/pan-unit42/iocs/blob/master/diamondfox/diamondfox_panels.txt: (However, almost all are either dead, removed or shut down)

·         http://185.145.129.207/Host/

·         http://195.133.145.239/install.php (installer)

·         http://1lidoo.ml/fox/Panel/

·         http://steamtoday.ru/diamond/

·         http://www.sadteam.net/panel/

·         http://www.sadteam.net/udb/

·         http://www.sadteam.net/umutdb/

·         http://www.sec.parmankulov.com/

·         http://www.securityupdates.online/Cicada/

·         http://www.vidyasagar.com/wp-content/themes/pindol/wp-logs/p/

While we found very few of the IoCs in the git list active – and to be sure we did not check all of them… there are over 600 – what we did find was that this bot is in the wild and is being used by several bot operators.

Next week we'll have a guest blogger from Sqrrl who will walk us through threat hunting DF on the enterprise.

Now here are your numbers for this week….

--Dr. S

Figure 6 - Top 10 Command and Control IPs Hitting the Packetsled Sensor on our Honeynet


Figure 7 - Top 10 IPs Hitting the Packetsled Sensor on our Honeynet


Figure 8 - This Week's New Malicious Domains from MDL



Figure 9 - Top Attack Types as Seen by our Niksun NetDetector against our Honeynet