Historical OSINT - A Portfolio of Fake/Rogue Video Codecs
Shall we expose a huge domains portfolio of fake/rogue video codecs dropping the same Zlob variant on each and every of the domains, thereby acting as a great example of what malicious economies of scale means?
Currently active Zlob malware variants promoting sites:
hxxp://pornqaz.com
hxxp://uinsex.com
hxxp://qazsex.com
hxxp://sexwhite.net
hxxp://lightporn.net
hxxp://xeroporn.com
hxxp://brakeporn.net
hxxp://sexclean.net
hxxp://delfiporn.net
hxxp://pornfire.net
hxxp://redcodec.net
hxxp://democodec.com
hxxp://delficodec.com
hxxp://turbocodec.net
hxxp://gamecodec.com
hxxp://blackcodec.net
hxxp://xerocodec.com
hxxp://ixcodec.net
hxxp://codecdemo.com
hxxp://ixcodec.com
hxxp://citycodec.com
hxxp://codecthe.com
hxxp://codecnitro.com
hxxp://codecbest.com
hxxp://codecspace.com
hxxp://popcodec.net
hxxp://uincodec.com
hxxp://xhcodec.com
hxxp://stormcodec.net
hxxp://codecmega.com
hxxp://whitecodec.com
hxxp://jetcodec.com
hxxp://endcodec.com
hxxp://abccodec.com
hxxp://codecred.net
hxxp://cleancodec.com
hxxp://herocodec.com
hxxp://nicecodec.com
Related MD5s, known, to, have, participated, in, the, campaign:
MD5: 30965fdbd893990dd24abda2285d9edc
Why are the malicious parties so KISS oriented at the end of every campaign, compared to the complexity and tactical warfare tricking automated malware harvesting approaches within the beginning of the campaign? Because they're not even considering the possibility of proactively detecting the end of many other malware campaigns to come, which will inevitable be ending up to these domains.
Currently active Zlob malware variants promoting sites:
hxxp://pornqaz.com
hxxp://uinsex.com
hxxp://qazsex.com
hxxp://sexwhite.net
hxxp://lightporn.net
hxxp://xeroporn.com
hxxp://brakeporn.net
hxxp://sexclean.net
hxxp://delfiporn.net
hxxp://pornfire.net
hxxp://redcodec.net
hxxp://democodec.com
hxxp://delficodec.com
hxxp://turbocodec.net
hxxp://gamecodec.com
hxxp://blackcodec.net
hxxp://xerocodec.com
hxxp://ixcodec.net
hxxp://codecdemo.com
hxxp://ixcodec.com
hxxp://citycodec.com
hxxp://codecthe.com
hxxp://codecnitro.com
hxxp://codecbest.com
hxxp://codecspace.com
hxxp://popcodec.net
hxxp://uincodec.com
hxxp://xhcodec.com
hxxp://stormcodec.net
hxxp://codecmega.com
hxxp://whitecodec.com
hxxp://jetcodec.com
hxxp://endcodec.com
hxxp://abccodec.com
hxxp://codecred.net
hxxp://cleancodec.com
hxxp://herocodec.com
hxxp://nicecodec.com
Related MD5s, known, to, have, participated, in, the, campaign:
MD5: 30965fdbd893990dd24abda2285d9edc
Why are the malicious parties so KISS oriented at the end of every campaign, compared to the complexity and tactical warfare tricking automated malware harvesting approaches within the beginning of the campaign? Because they're not even considering the possibility of proactively detecting the end of many other malware campaigns to come, which will inevitable be ending up to these domains.
About Dancho Danchev
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
