Darkode forum was supposed to be resuscitated, but …

Pierluigi Paganini December 02, 2015

The experts at the Damballa’s Threat Discovery Center have discovered the revive Darkode forum.

On July 2015, an international joint effort of law enforcement allowed the arrest of dozen people active on the popular Darkode crime forum.

Darkode was a black market specialized in the sale of exploit kits and hacking tool, its seller also offered spam services and services for malware customization.

The FBI along with Europol and the Brazil’s Federal Police were monitoring the cybercriminal forum since March, the operation has resulted in 62 arrests in 18 countries worldwide, Colombia, Germany, India and UK.

According to the administrator which uses the online pseudonym Sp3cial1st, following the seizure of Darkode on 14 July he waited for the disclosure of the identities of arrested in order to decide to before deciding to bring the forum back online.

At the end of July, the administrator of the Darkode hacking forum announced the imminent return online of the platform with new security improvements.

Last July, Damballa’s Threat Discovery Center discussed the infamous web forum, Darkode, that was supposed to be resuscitated by sp3cial1st.

Since then, Damballa’s Threat Discovery Center has been monitoring the dark web searching for a new Darkode forum. The experts discovered the revive Darkode Reloaded. Obviously, the Darkode forum was deployed in the dark web for “security” reasons and anonymity, but the forum remains also accessible without the Tor client a circumstance that manifests a poor design.

darkode forum -reloaded-image3

darkode forum reloaded

According to experts at Damballa, the current administrator of Darkode forum, Sven, is a previous member of the forum.

Sven has implemented a Jabber service that runs on the domain darkode.club and is hosted on a dedicated server at 86.105.227[.]13 located in Russia.

Also in this case, the experts noticed serious security issues and a poor design, the Openfire version installed on the server (ver. 3.10.2) is affected by a number of vulnerabilities.

“The server is poorly configured. We know that this server runs a software called Jetty 9.2 Snapshot. This software comes along with Openfire. Openfire is a Jabber server software and the version 3.10.2 is installed. The Jetty software listens on port 7070 by default and this port is wide open on the server. The administration interface for the jabber server is also accessible with the default configuration port 9090.” states a blog post published by Damballa.

The lack of security and poor a configuration shows that Darkode cannot be trusted.

darkode forum reloaded-image6
Experts at Damballa have criticized the new Darkode forum defining it “a bad Darkode imitation with rigorous rules.
The experts noticed the absence of discussions and threads about banking trojans or other high profile malware.

The Darkode reloaded is far from the previous one.

Pierluigi Paganini

(Security Affairs – cybercrime, Darkode forum)



you might also like

leave a comment