By Dancho Danchev
Fraudsters are currently spamvertising tens of thousands of emails enticing users into installing rogue, potentially unwanted (PUAs) casino software. Most commonly known as W32/Casonline, this scam earns revenue through the rogue online gambling software’s affiliate network.
Sample screenshots of the landing URLs:
hxxp://luckynuggetcasino.com – 188.8.131.52
hxxp://888casino.com – 184.108.40.206
hxxp://spinpalace.com – 220.127.116.11
hxxp://alljackpotscasino.com – 18.104.22.168
hxxp://allslotscasino.com – 22.214.171.124
We’re also aware of the following MD5s that have also phoned back to the same IP (126.96.36.199):
Detection rates for the spamvertised PUA executables:
AllJackpots.exe – MD5: c27e1850653ab524612abb367fbb9bc8 - detected by 8 out of 47 antivirus scanners as Win32/PrimeCasino; Riskware/CasOnline
SpinPalace.exe – MD5: 9a7b039e923e92e9a0923a2ecf758daa - detected by 4 out of 47 antivirus scanners as W32/Casino.P.gen!Eldorado; HV_CASINO_CB240086.TOMC
luckynugget.exe – MD5: 829f4f750f40ec83d73b9db025c0f08f – detected by 2 out of 47 antivirus scanners as GAME/Casino.Gen;
reefclubcasino.exe – MD5: 5f732fe8e005639a786753fd32d413a2 – detected by 2 out of 47 antivirus scanners as Skodna.Casino.DG
AllSlots.exe – MD5: 0b582fc2171880291107eb724d5fd7bf - detected by 2 out of 47 antivirus scanners as GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
We advise users to avoid interacting with any kind of content distributed through spam messages, especially clicking on any of the links found in such emails.