Regular readers of Webroot’s Threat Blog are familiar with our series of posts detailing the proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications.
We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants. Let’s profile the campaigns, provide actionable intelligence on the rogue domains involved in the campaigns, as well as related MD5s known to have interacted with the same rogue infrastructure.
W32.Casino PUA domains reconnaisance:
hxxp://rubyfortune.com – 188.8.131.52
hxxp://grandparkerpromo.com – 184.108.40.206
hxxp://kingneptunescasino1.com – 220.127.116.11
hxxp://riverbelle1.com – 18.104.22.168
hxxp://europacasino.com – 22.214.171.124
hxxp://vegaspartnerlounge.com – 126.96.36.199
Sample detection rates for the W32/Casino PUA:
MD5: b80db6ec0e6c968499ce01232fbfdc5c – detected by 3 out of 50 antivirus scanners as as W32/Casino.P.gen!Eldorado
MD5: 8326886267203e07145f63adf2e8f0a1 – detected by 3 out of 50 antivirus scanners as Heuristic.BehavesLike.Win32.Suspicious-DTR.S
MD5: a2a545adf4498e409f7971f326333333 – detected by 3 out of 50 antivirus scanners as W32/Casino.P.gen!Eldorado
MD5: 1cd6db7edbbc07d1c68968f584c0ac82 – detected by 3 out of 49 antivirus scanners as W32/Casino.P.gen!Eldorado
Once executed the sample phones back to:
clatz.fileslldl.eu – 188.8.131.52
Known to have been downloaded from the same IP (184.108.40.206) are also the following W32/Casonline variants:
Webroot SecureAnywhere users are proactively protected from these threats.