DiamondFox: New Joint Research from Check Point & Terbium Labs

Next: Excuse Me, Could I Borrow Your W-2?
Previous: Inside the Dark Web: Fraud Guides
These are not the foxes you're looking for.
May 10, 2017

The Terbium Analyst Team is on the front-line of combatting dark web myths and legends. Whether it's a threat report, white paper, or blog post, the Analyst Team's job is to know things and speak intelligently about them. Other interests include weightlifting, chocolate, and accumulating obscure dark web trivia to amuse and confuse our co-workers.

We recently partnered with researchers at Check Point to investigate the DiamondFox ransomware - an insidious platform wreaking havoc on victims across the world. Perhaps unsurprisingly, this ransomware-as-a-service is openly traded, reviewed, and detailed on the dark web.

To support Check Point’s technical analysis of the malware, Terbium Labs leveraged our Analyst team and massive dark web crawler to locate critical forum discussions and advertisements of DiamondFox across the dark web.

And although these discussions were fairly distributed, we discovered what is arguably DiamondFox’s main sales and communication thread, which has been moderated for over a year by the ransomware’s creator and official vendor – a threat actor known as edbitss.

edbitss.png

The report includes a review of the ransomware’s sales procedure and customer reviews, as well as a full technical analysis of its multiple plugins. For the full Diamond Fox report click here.

We’ve previously written about the pernicious risk of these underground forums (see: Dark Web Forums: the Underbelly’s Underbelly) and the unique threat they pose to individuals and businesses alike. In the case of Diamond Fox, all the salient points are still at play.

Dark web forums contain actionable intelligence, but simultaneously present an incomplete picture of the threat. Indeed, the actual vendor-customer transactions are removed from the already-hidden posts, effectively adding another layer of difficulty for researchers to further investigate purchasing and delivery mechanisms. Official sales are conducted separately and through encrypted communications only. As pictured in the official sales thread above, edbitss prefers Jabber, which relies on the encrypted XMPP protocol preferred by many on the dark web.

After someone purchases DiamondFox, the evolving and modular malware features a wide range of plugins (the malware’s capabilities) which enable their users to engage in widespread fraud and vandalism with relative ease (and little technical knowledge). The advertised password and file stealers, distributed denial of service (DDoS) attack dashboards, keyloggers, and RAM scrapers are highlight sought after by would-be fraudsters and hackers.

Ultimately, DiamondFox is one of the many malicious tools fueling the cybercrime economy and contributing to the alarming rate of stolen and leaked personal information online.

Click here to read the full report.

RELATED ARTICLES
analysis March 20, 2019
Trends and Projections: Shifting Law Enforcement

For the first post in the Trends and Projections series, we unpack the increased law enforcement attention toward cyber-enabled fraud and the shift in resources allocated to taking down dark web communities trading compromised...

analysis January 24, 2019
Collection #1: Why You Should Care but Not Panic

January is not yet over and 2019 has already brought us the second biggest collection of stolen data in history. Unlike traditional data breaches, Collection #1 is actually a massive collection of smaller credential...