Multiple spamvertised bogus online casino themed campaigns intercepted in the wild

by

Share this news now.

Regular readers of Webroot’s Threat Blog are familiar with our series of posts detailing the proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications.

We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants. Let’s profile the campaigns, provide actionable intelligence on the rogue domains involved in the campaigns, as well as related MD5s known to have interacted with the same rogue infrastructure.

More details:

Sample screenshots of the landing pages for the rogue casinos: Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_01 Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_02 Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_03 Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_04 Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_05 Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_06

Spamvertised URLs:
hxxp://bit.ly/1brCoxg
hxxp://bit.ly/1bQRudq
hxxp://bit.ly/1mLQr5I
hxxp://bit.ly/MCOyaL
hxxp://bit.ly/1ec3UMN
hxxp://bit.ly/1hN6Vbd
hxxp://bit.ly/1mQ3XFu
hxxp://bit.ly/17DJ4pZ
hxxp://bit.ly/1ec2JNa
hxxp://bit.ly/1fBY6d5

W32.Casino PUA domains reconnaisance:
hxxp://rubyfortune.com – 78.24.211.177
hxxp://grandparkerpromo.com – 95.215.61.160
hxxp://kingneptunescasino1.com – 67.211.111.169
hxxp://riverbelle1.com – 193.169.206.233
hxxp://europacasino.com – 87.252.217.13
hxxp://vegaspartnerlounge.com – 66.212.242.136

Sample detection rates for the W32/Casino PUA:
MD5: b80db6ec0e6c968499ce01232fbfdc5c – detected by 3 out of 50 antivirus scanners as as W32/Casino.P.gen!Eldorado
MD5: 8326886267203e07145f63adf2e8f0a1 – detected by 3 out of 50 antivirus scanners as Heuristic.BehavesLike.Win32.Suspicious-DTR.S
MD5: a2a545adf4498e409f7971f326333333 – detected by 3 out of 50 antivirus scanners as W32/Casino.P.gen!Eldorado
MD5: 1cd6db7edbbc07d1c68968f584c0ac82 – detected by 3 out of 49 antivirus scanners as W32/Casino.P.gen!Eldorado

Once executed the sample phones back to:
clatz.fileslldl.eu – 87.248.203.254

Known to have been downloaded from the same IP (87.248.203.254) are also the following W32/Casonline variants:
MD5: 06c6b0381cde4720a5204ac38a5f22b9
MD5: 1022bef242c7361866f7af512ec893e0
MD5: c1a6055f5d240d3681febc6bd77701eb
MD5: e5fd6aa437b3520f35337d2dd7139f9a
MD5: 6f6713077249800818f26b7469eaf175
MD5: 6ebdf6f7187effe7b52463cf7241297a
MD5: 6ed118798a19a5dbf63a9279f33e0542
MD5: 6b651437a4553b91139178a930247035
MD5: e1beeae4d07942c7fca6eea945c9bdcd
MD5: 6ab968f86300ca677e9700f7c2dee8be
MD5: 6a872111b70e401cf083a7d27b45a74e
MD5: f85fa2bb2dff0333650db371e323e962

Webroot SecureAnywhere users are proactively protected from these threats.


Share this news now.
0 comments