By Dancho Danchev
Fraudsters are currently spamvertising tens of thousands of emails enticing users into installing rogue, potentially unwanted (PUAs) casino software. Most commonly known as W32/Casonline, this scam earns revenue through the rogue online gambling software’s affiliate network.
Sample screenshots of the landing URLs:
hxxp://luckynuggetcasino.com – 22.214.171.124
hxxp://888casino.com – 126.96.36.199
hxxp://spinpalace.com – 188.8.131.52
hxxp://alljackpotscasino.com – 184.108.40.206
hxxp://allslotscasino.com – 220.127.116.11
We’re also aware of the following MD5s that have also phoned back to the same IP (18.104.22.168):
Detection rates for the spamvertised PUA executables:
AllJackpots.exe – MD5: c27e1850653ab524612abb367fbb9bc8 – detected by 8 out of 47 antivirus scanners as Win32/PrimeCasino; Riskware/CasOnline
SpinPalace.exe – MD5: 9a7b039e923e92e9a0923a2ecf758daa – detected by 4 out of 47 antivirus scanners as W32/Casino.P.gen!Eldorado; HV_CASINO_CB240086.TOMC
luckynugget.exe – MD5: 829f4f750f40ec83d73b9db025c0f08f – detected by 2 out of 47 antivirus scanners as GAME/Casino.Gen;
reefclubcasino.exe – MD5: 5f732fe8e005639a786753fd32d413a2 – detected by 2 out of 47 antivirus scanners as Skodna.Casino.DG
AllSlots.exe – MD5: 0b582fc2171880291107eb724d5fd7bf – detected by 2 out of 47 antivirus scanners as GAME/Casino.Gen; W32/Casino.P.gen!Eldorado
We advise users to avoid interacting with any kind of content distributed through spam messages, especially clicking on any of the links found in such emails.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.