Tens of thousands of spamvertised emails lead to the Win32/PrimeCasino PUA (Potentially Unwanted Application)

by


By Dancho Danchev

Looking for legitimate online gambling services? You may want to skip the rogue online casinos that I’ll highlight in this post. Over the past few days, we intercepted multiple spam campaigns launched by the same party, enticing users into downloading fake online casinos most commonly known as the Win32/PrimeCasino/Win32/Casonline PUA (Potentially Unwanted Application).

More details:

Sample screenshots of the landing pages:

Email_Spam_RoyalVegas_W32.Casonline_Fake_Casino_Rogue_Casino_Potentially_Unwated_Application_PUA Email_Spam_RoyalVegas_W32.Casonline_Fake_Casino_Rogue_Casino_Potentially_Unwated_Application_PUA_01 Email_Spam_RoyalVegas_W32.Casonline_Fake_Casino_Rogue_Casino_Potentially_Unwated_Application_PUA_02 Email_Spam_RoyalVegas_W32.Casonline_Fake_Casino_Rogue_Casino_Potentially_Unwated_Application_PUA_03 Email_Spam_RoyalVegas_W32.Casonline_Fake_Casino_Rogue_Casino_Potentially_Unwated_Application_PUA_04 Email_Spam_RoyalVegas_W32.Casonline_Fake_Casino_Rogue_Casino_Potentially_Unwated_Application_PUA_05 Email_Spam_RoyalVegas_W32.Casonline_Fake_Casino_Rogue_Casino_Potentially_Unwated_Application_PUA_06

Rogue domains reconnaissance:
royalvegascasino.com – 193.169.206.146
888casino.com – 213.52.252.59
spinpalace.com – 109.202.114.65
riverbelle1.com – 193.169.206.233
alljackpotscasino.com – 64.34.230.122
luckynuggetcasino.com – 67.211.111.163
allslotscasino.com – 64.34.230.149; 205.251.192.125; 205.251.195.210; 205.251.196.131; 205.251.199.63

Detection rates for the Potentially Unwanted Applications (PUAs):
AllJackpots.exe – MD5: fed4e5ba204f3b3034b882481a6ab002 - detected by 8 out of 47 antivirus scanners as Win32/PrimeCasino; W32/Casino.P.gen!Eldorado; PUP.PrimeCasino
luckynugget.exe – MD5: 1e97ddc0ed28f5256167bd93f56a46b2 - detected by 2 out of 47 antivirus scanners as GAME/Casino.Gen; W32/Casino.P.gen!Eldorado;
Riverbelle.exe – MD5: 1828fc794652e653e6083c204d3b1f34 - detected by 2 out of 47 antivirus scanners as GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
RoyalVegas.exe – MD5: 2dd87b67d4b7ca7a1bfae2192b09f8e6 - detected by 2 out of 47 antivirus scanners as GAME/Casino.Gen; W32/Casino.P.gen!Eldorado

Rogue casino domains known to have responded to 193.169.206.146:
7sultans.eu
7sultanscasino.com
au.platinumplay.com
es.platinumplay.com
es.royalvegas.com
europalace.eu
europalacecasino.net
platinumplay.eu
platinumplaycasino.com
pokertime.eu
pokertime.me
royalvegas.com
royalvegas.eu
royalvegascasino.com
tracking.fortunelounge.com
vegaspalms.com
vegaspalms.eu
vegaspalmscasino.com
vegasvilla.com
vegasvilla.eu

Rogue casino MD5s known to have responded to 213.52.252.59:
MD5: f7a367c0a912d360528ad1bf17e2511a
MD5: 900a689eb4be4efc838b3030be7635ab
MD5: 6522922216d8a3f3db232e4db86f93ff
MD5: b1baf3cedb5ccfd0ec4d547765928142
MD5: a98aa48b53938e74c8cb8edde5f1fadd
MD5: 79fbb5176d534a1e7329f323e8441bf7
MD5: 4ddf626ffc8b0273bece32a28194df5a
MD5: 9a6047f825ce6a07a3ace527b06b57fc
MD5: 4047e9a75346f225edfeedd4d3b0e2ee
MD5: ce32189e16bfe9467daefd2a0244711f
MD5: 8c0ce385200267f36a16cd030e086ef3
MD5: f42a01cd4aab337211329477a64e4d52
MD5: 692a99608cbf87ec77f3a1aea7dc3ce9
MD5: b51690ae96a5bf5fb02d189ec505cb6b

Webroot SecureAnywhere users are proactively protected from these PUAs.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.