Tags: Darkode, malware
Last July, Damballa’s Threat Discovery Center discussed the infamous web forum, Darkode, that was supposed to be resuscitated by sp3cial1st.
Since then, we’ve been monitoring the dark web to see if a new Darkode forum would show up and we discovered the new Darkode Reloaded. It has resurfaced.
As promised, the administrators moved the forum to the dark web for “security” reasons and anonymity. Security and anonymity of a criminal forum is only as good as the forum administrator. It’s all a “trompe-l’œil” (illusion). See for yourself, the search page of the forum was wide open to anyone without being logged in.
Image 1. Search page open
From the search page, the forum was completely accessible. The member list, the active topics, you name it. The member list link revealed the whole list of members.
Image 2. List of members open
The forum administrator Sven is a very generic handle but we know that he’s a previous member of Darkode. As for the rest of the members, there is a mix of HackForum members usually called HF skids and DamageLab members. This gives you an idea about the quality of the forum.
In terms of security, the forum is also accessible without the Tor software. It can be accessed from any browser without anonymity. Another poor design of the forum.
Darkode Jabber Service
Sven, the administrator of Darkode, offers a Jabber service to its members. The jabber server runs on the domain darkode.club and is hosted on a dedicated server at 86.105.227[.]13 located in Russia.
The server is poorly configured. We know that this server runs a software called Jetty 9.2 Snapshot. This software comes along with Openfire. Openfire is a Jabber server software and the version 3.10.2 is installed. The Jetty software listens on port 7070 by default and this port is wide open on the server:
The administration interface for the jabber server is also accessible with the default configuration port 9090.
The email address and name used to register the domain darkode.club are:
The server has the following ports open:
22 – SSH
25 – SMTP
80 – HTTP
5222 – Openfire
5223 – Openfire
5229 – Openfire
5269 – Openfire
7070 – Jetty Snapshot
9090 – Openfire Administration interface
On top of access control issues with the forum, the software also has vulnerability issues. The Openfire version installed 3.10.2 is subject to several reported vulnerabilities, you can find a complete list here:
From the posts we reviewed, no significant activity stood out. It felt like a bad Darkode imitation with rigorous rules. There was no discussion of banking trojans or similar high profile malware.
The criminal community has low trust in the ‘new’ Darkode forum. The lack of security and misconfiguration shows that Darkode can’t be trusted and will never regain its former glory. Another Darkode fail. In previous times, we’d provide the link, but this time we aren’t because it’s just not worth anyone’s time.
A special thank you to the HPE Field Intelligence team for their contribution.
— Loucif Kharouni
Senior Threat Researcher, Damballa