Monday, May 29, 2017

Historical OSINT - A Portfolio of Fake/Rogue Video Codecs

Shall we expose a huge domains portfolio of fake/rogue video codecs dropping the same Zlob variant on each and every of the domains, thereby acting as a great example of what malicious economies of scale means?

Currently active Zlob malware variants promoting sites:
hxxp://pornqaz.com
hxxp://uinsex.com
hxxp://qazsex.com
hxxp://sexwhite.net
hxxp://lightporn.net
hxxp://xeroporn.com
hxxp://brakeporn.net
hxxp://sexclean.net
hxxp://delfiporn.net
hxxp://pornfire.net
hxxp://redcodec.net
hxxp://democodec.com
hxxp://delficodec.com
hxxp://turbocodec.net
hxxp://gamecodec.com
hxxp://blackcodec.net
hxxp://xerocodec.com
hxxp://ixcodec.net
hxxp://codecdemo.com
hxxp://ixcodec.com
hxxp://citycodec.com
hxxp://codecthe.com
hxxp://codecnitro.com
hxxp://codecbest.com
hxxp://codecspace.com
hxxp://popcodec.net
hxxp://uincodec.com
hxxp://xhcodec.com
hxxp://stormcodec.net
hxxp://codecmega.com
hxxp://whitecodec.com
hxxp://jetcodec.com
hxxp://endcodec.com
hxxp://abccodec.com
hxxp://codecred.net
hxxp://cleancodec.com
hxxp://herocodec.com
hxxp://nicecodec.com

Related MD5s, known, to, have, participated, in, the, campaign:
MD5: 30965fdbd893990dd24abda2285d9edc

Why are the malicious parties so KISS oriented at the end of every campaign, compared to the complexity and tactical warfare tricking automated malware harvesting approaches within the beginning of the campaign? Because they're not even considering the possibility of proactively detecting the end of many other malware campaigns to come, which will inevitable be ending up to these domains.