Darkode Returns Following International Raids

Uncategorized
When I was contacted asking for a comment about the darkode raid, I’d said that the main administrator was not arrested and that’d I’d be surprised if it wasn’t back within a week; well It’s been a little more than a week (I’ll put on my surprised face), but as expected darkode has returned. Originally the main admin known as “Sp3cial1st” had posted a statement on pastebin declaring that he wanted to wait and see who all of the 70 users arrested were before bringing the forums back online, but about two hours ago he updated his jabber status to advertise darkode.cc, which appears to be a placeholder for the future site.

Darkode’s new homepage

Currently we’re greeted with a message addressing the raids and containing some information about the new site; however, the page currently leads nowhere and the “Generate Onion” button doesn’t work (though the information given is quite interesting).

The message states that not only will darkode now operate from a Tor hidden service, but each user will be given their own onion address to the forum, which is admittedly quite a clever idea. Firstly it would allow the darkode admins greater control over who gets access, preventing people from accessing a hacked account without the owner’s onion url; it would also allow them to better monitor who views what by creating an individual log file for each onion, meaning they could quickly weed out leakers.
Even more interesting it states that bitcoin wallets would be tied to accounts and used for users to authenticate on the forums, this would mean that hackers could not use a hacked account to scam with unless they know the user’s private key.

These new security measured don’t come as a huge surprise seeming as darkode had a massive problem with people using hacked accounts to leak information to law enforcement and journalists as well as scam users. Ironically even the darkode administrators were compromised at one point after one of them had reused his password on another forum, which had its database leaked a few weeks prior. Remember: Password reuse is a much bigger risk than weak passwords.

Arrests

Due to the fact that most countries do not publicly publish detailed arrest information like the US does, there is no way to know who else was arrested other than those indicted by the FBI; however, due to terrible opsec practices a lot of them were known personally by other members, so word of mouth gives us a few more names to add to the list. It’s interesting to note that only about two of the arrested member had even been active on darkode in the past few years, suggesting that the FBI might have just grouped together a list of known criminals who were also on darkode, rather than targeting the forum itself.
As of now, this is the current list of arrested or allegedly arrested users:
Uncategorized
3
Best Languages to Learn for Malware Analysis

One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require …

Uncategorized
2
Investigating Command and Control Infrastructure (Emotet)

Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying …

Uncategorized
10
Creating a Simple Free Malware Analysis Environment

Computer Requirements: A CPU with AMD-V or Intel VT-x support (pretty much any modern CPU). 4 GB RAM (more is better). Make sure Virtualization (AMD-V or Intel VT-x) is enabled in the BIOS. To do this, you’ll need to google “enable virtualization” along with your bios or motherboard version, then …