Historical OSINT - A Portfolio of Fake/Rogue Video Codecs

Shall we expose a huge domains portfolio of fake/rogue video codecs dropping the same Zlob variant on each and every of the domains, thereby acting as a great example of what malicious economies of scale means?

Currently active Zlob malware variants promoting sites:
hxxp://pornqaz.com
hxxp://uinsex.com
hxxp://qazsex.com
hxxp://sexwhite.net
hxxp://lightporn.net
hxxp://xeroporn.com
hxxp://brakeporn.net
hxxp://sexclean.net
hxxp://delfiporn.net
hxxp://pornfire.net
hxxp://redcodec.net
hxxp://democodec.com
hxxp://delficodec.com
hxxp://turbocodec.net
hxxp://gamecodec.com
hxxp://blackcodec.net
hxxp://xerocodec.com
hxxp://ixcodec.net
hxxp://codecdemo.com
hxxp://ixcodec.com
hxxp://citycodec.com
hxxp://codecthe.com
hxxp://codecnitro.com
hxxp://codecbest.com
hxxp://codecspace.com
hxxp://popcodec.net
hxxp://uincodec.com
hxxp://xhcodec.com
hxxp://stormcodec.net
hxxp://codecmega.com
hxxp://whitecodec.com
hxxp://jetcodec.com
hxxp://endcodec.com
hxxp://abccodec.com
hxxp://codecred.net
hxxp://cleancodec.com
hxxp://herocodec.com
hxxp://nicecodec.com

Related MD5s, known, to, have, participated, in, the, campaign:
MD5: 30965fdbd893990dd24abda2285d9edc

Why are the malicious parties so KISS oriented at the end of every campaign, compared to the complexity and tactical warfare tricking automated malware harvesting approaches within the beginning of the campaign? Because they're not even considering the possibility of proactively detecting the end of many other malware campaigns to come, which will inevitable be ending up to these domains.
Share on Google Plus

About Dancho Danchev

Threat Intelligence Analysis (OSINT/Cyber Counter Threat Intelligence/). Approach me ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011 SilentCircle ID: ddanchev +507 833-8931
    Blogger Comment
    Facebook Comment