By Dancho Danchev
Fraudsters are currently spamvertising tens of thousands of emails enticing users into installing rogue, potentially unwanted (PUAs) casino software. Most commonly known as W32/Casonline, this scam earns revenue through the rogue online gambling software’s affiliate network.
More details:
Sample screenshots of the landing URLs:
Spamvertised URLs:
hxxp://luckynuggetcasino.com – 67.211.111.163
hxxp://888casino.com – 213.52.252.59
hxxp://spinpalace.com – 109.202.114.65
hxxp://alljackpotscasino.com – 64.34.230.122
hxxp://allslotscasino.com – 64.34.230.149
We’re also aware of the following MD5s that have also phoned back to the same IP (213.52.252.59):
MD5: 900a689eb4be4efc838b3030be7635ab
MD5: 6522922216d8a3f3db232e4db86f93ff
MD5: b1baf3cedb5ccfd0ec4d547765928142
MD5: a98aa48b53938e74c8cb8edde5f1fadd
MD5: 79fbb5176d534a1e7329f323e8441bf7
MD5: 4ddf626ffc8b0273bece32a28194df5a
MD5: 9a6047f825ce6a07a3ace527b06b57fc
MD5: 4047e9a75346f225edfeedd4d3b0e2ee
MD5: ce32189e16bfe9467daefd2a0244711f
MD5: 8c0ce385200267f36a16cd030e086ef3
MD5: f42a01cd4aab337211329477a64e4d52
MD5: 692a99608cbf87ec77f3a1aea7dc3ce9
MD5: b51690ae96a5bf5fb02d189ec505cb6b
Detection rates for the spamvertised PUA executables:
AllJackpots.exe – MD5: c27e1850653ab524612abb367fbb9bc8 – detected by 8 out of 47 antivirus scanners as Win32/PrimeCasino; Riskware/CasOnline
SpinPalace.exe – MD5: 9a7b039e923e92e9a0923a2ecf758daa – detected by 4 out of 47 antivirus scanners as W32/Casino.P.gen!Eldorado; HV_CASINO_CB240086.TOMC
luckynugget.exe – MD5: 829f4f750f40ec83d73b9db025c0f08f – detected by 2 out of 47 antivirus scanners as GAME/Casino.Gen;
reefclubcasino.exe – MD5: 5f732fe8e005639a786753fd32d413a2 – detected by 2 out of 47 antivirus scanners as Skodna.Casino.DG
AllSlots.exe – MD5: 0b582fc2171880291107eb724d5fd7bf – detected by 2 out of 47 antivirus scanners as GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
We advise users to avoid interacting with any kind of content distributed through spam messages, especially clicking on any of the links found in such emails.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.