Peter Stephenson
Peter Stephenson

Back in 2015 we first became aware of a new bot system called DiamondFox. Because it was involved with a project called Gorynych (Dragon) the two have become terms/names used interchangeably.

In April of 2015 the actor released DiamondFox as a new incarnation of Gorynych. For our purposes we will stick to DiamondFox and concentrate on the bot's provenance from April of 2015 (release 05.04.15.)

The author of the bot describes it as an "...HTTP Plugin-Based loader made for stability and functionality, for maintain a stable connection with a considerable amount of bots." Within the past month the actor has released a new version called the "Crystal Version". In this week's blog we'll look at some of the history behind the malware, what it does, a bit about how it does it and a deeper look at how it is managed. News week we'll dig a bit deeper. The actor's blog announcing the new release is in Figure 1.

Figure 1 - Announcement of New Version of DiamondFox


Before we get into the bot, here's a bit about the actor. Historically, he has been writing malware for some time and, presumably, is the writer of Gorynych and DiamondFox. He is Mexican, his handle on line is EduArdO__xD but he also goes by EdbitssEBitssRiumkaVodki and Эдуардо. He seems fluent in Russian and he has been actively in the underground since at least 2011. He claims to be located in Russia but it appears that he actually lives in Mexico. All of this information - and much more - is easily searchable on the Web and the Dark Web. However, like all such information I tend to view this with a bit of skepticism. His Taringa page (sort of like a Mexican Facebook) is in Figure 2:

Figure 2 - EduArdO__xD's Taringa Page


The Crystal Version is slick and professional. It comes complete with an administrator's guide. All of this information is broadly in the wild so it's pretty easy to come by. Much of it has been leaked extensively. The actor claims that he paid close attention to analysts who reported on early versions of the bot and made corrections where necessary based upon their comments. In that regard, he shows himself to be a competent businessman as well as a programmer. In addition, he has built in safeguards so just because the bot is leaked does not mean that it can be hijacked easily. Even though he has rules, violation of which will cost you your license, it is clear that enterprising hackers have ignored them.

We won't go into the earlier version of DiamondFox. Brian Wallace at Cylance - one of our Lab Approved products - has done a great job of that in his blog entry, "A Study in Bots: DiamondFox" at https://blog.cylance.com/a-study-in-bots-diamondfox. Because a lot of the architecture of the Crystal Version is similar, this will get a good start for you on how DiamondFox works. There are, however, some real differences and we'll get inside the bot next week.

When we ran our sample of the bot with its anti-reversing features disabled, Malwarebytes pegged it as backdoor.bot and recognized it as malware. It recognized it with its anti-reversing enabled as well. 43 of 56 AV programs on VirusTotal recognized the disabled version and 33 recognized the enabled version. Our conclusion is that, although there was pretty much no agreement on exactly what it is, it's for certain that it's not FUD ("Fully UnDetectable"). Keep your anti-malware current and this one won't likely get past you.

We became, during our research, of a malicious URL used by our actor - lalonoip.no-ip.biz - and that resolved to 204.95.99.109, an IP hosing 272 malicious domains over the week. This is a well-known malicious IP and its collection of domains look pretty much as if they were built with a DGA. We noted that some top-level domains were consistent, though with the DGA building the subdomains:

In addition to the malicious domains, this IP also hosts several types of malware. Here are some hashes for your IOC collection:

4b0481a8cb223bf3ce50e0f501b620d829fcb76d1d0522d3be14939858adb346

60c4666224eea1db17e74b6d1da5786248d8fd9c087eebdaf96c99a42dfeca6d

9e228bea8e1b5f4e563e17761bdf17b4d720be59dc930411d2a72e349b1160bb

c29b4f985845278281b2b4c801e54ce5d3cd83bb8ff7cf5a0c54dec803890444

c6ebd75727b88efeab910e01a221cefe2f1241a02be696e64c2b6c7f31d3be38

c7adffe0968ec268017266d42396d3de2dc679116f0bb3ae2644fad6d9f1cd72

cce0493dafff8415ecc44cd4a9f0ad7fa04aaa1deecfd5d21f7650bfef20a3d5

ee82f9de43e80dc13908a3095a8e642106f8d7c4ce50f0d8a81ed532721294a8

f30f691c9929905459f3756751af7053c7fec97508831b95da6ff52078047226

fd6548956d0989189f74337661da490ce1972638eed7b10290e9ff8f1ea89bbe

Now let's look at how this is being used. This is a malware that installs a control panel/C&C and builds bots to your specification. The bots have a lot of functionality available, depending upon how they are configured. For example, the earlier version was used in the Operation Black Atlas point of sale campaign to download BlackPOS. The bot has the following plugins, substantially increased from earlier versions:

  • Browser password stealer
  • FTP password stealer
  • DDoS
  • Keylogger
  • E-mail grabber
  • RDP/VNC grabber
  • RAM scraper
  • Instant messenger grabber
  • Screenshots
  • Spam
  • DNS redirects
  • Persistence
  • Crypto wallet stealer
  • Browser homepage changer
  • Social network spread
  • Ammy RDP
  • Console

Of course, there are lots of individual products that fit into each of these categories so it is pretty certain that the bot has rather universal functionality as regards its plugins.

The cPanel uses MySQL as a backend and it a PHP application. You install to the URL of your C2. Once this part of the install is done you move to the Builder. Here you have a domain generator and you can set its parameters. Security adds encryption and now you're ready to set up the install parameters for the bot. You can then set up extras such as Anti-VirtualBox (to detect possible sandbox VMs) as well as such other anti-analysis functions as Anti-OllyDBG, a tool popular with reversing engineers.

You can set your C2 as static (give it a URL for the bot to phone home) or dynamic (use a domain generation algorithm) . Now you're ready to build bots... it's really that simple. See Figure 3 for the C2 panel.

Figure 3 - Crystal Version Panel


In addition to the builder, there is a nice dashboard that monitors bot net activity and allows some control over the bots. Figure 4 shows the dashboard.

Figure 4 - Dashboard


Overall we were moderately impressed by DiamodFox Cystal Version's flash but we found the bang a little weak. Hasherezade will join us next week for a deeper dive into the bot's internals.

I want to end this blog with a "Call for Chapters". I am editing a handbook of information security management. It is based upon the NICE platform (National Initiative for Cybersecurity Education) and I am looking for chapter authors. This is for a major publisher so there is a lot of opportunity for glory if not riches. Contact me if you would like to contribute a chapter (or more).

That said, and in anticipation of details on DiamondFox's internals here are your stats for the week....

--Dr. S

 

Figure 5 - Top 10 Command and Control IPs Hitting the Packetsled Sensor on our Honeynet

 

Figure 6 - Top 10 IPs Hitting the Packetsled Sensor on our Honeynet

Figure 7 - This Week's New Malicious Domains from MDL

Figure 8 - Top Attack Types as Seen by our Niksun NetDetector against our Honeynet