{"id":16120,"date":"2014-03-14T10:10:25","date_gmt":"2014-03-14T16:10:25","guid":{"rendered":"https://www.webroot.com/blog/?p=16120"},"modified":"2018-10-05T13:19:11","modified_gmt":"2018-10-05T19:19:11","slug":"spamvertised-bogus-online-casino-themed-emails-lead-w32casino","status":"publish","type":"post","link":"https://www.webroot.com/blog/2014\/03\/14\/spamvertised-bogus-online-casino-themed-emails-lead-w32casino\/","title":{"rendered":"Multiple spamvertised bogus online casino themed campaigns intercepted in the wild"},"content":{"rendered":"

Regular readers of Webroot’s Threat Blog are familiar with our series of posts<\/strong><\/a>\u00a0detailing the proliferation of social engineering driven, privacy-violating campaigns serving W32\/Casino variants. Relying on affiliate based revenue sharing schemes<\/strong><\/a>\u00a0and\u00a0spamvertised<\/strong><\/a> campaigns as the primary distribution vectors<\/strong><\/a>, the rogue operators behind them continue tricking tens of thousands of gullible users<\/strong><\/a> into installing the malicious applications.<\/p>\n

We’ve recently intercepted a series of spamvertised campaigns distributing W32\/Casino variants. Let’s profile the campaigns, provide actionable intelligence on the rogue domains involved in the campaigns, as well as related MD5s known to have interacted with the same rogue infrastructure.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshots of the landing pages for the rogue casinos:<\/strong> \"Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA\"<\/a> \"Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_01\"<\/a> \"Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_02\"<\/a> \"Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_03\"<\/a> \"Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_04\"<\/a> \"Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_05\"<\/a> \"Online_Casino_Gambling_W32_Casino_Potentially_Unwanted_Applicationc_PUA_06\"<\/a><\/p>\n

Spamvertised URLs:<\/strong>
\nhxxp:\/\/bit.ly\/1brCoxg
\nhxxp:\/\/bit.ly\/1bQRudq
\nhxxp:\/\/bit.ly\/1mLQr5I
\nhxxp:\/\/bit.ly\/MCOyaL
\nhxxp:\/\/bit.ly\/1ec3UMN
\nhxxp:\/\/bit.ly\/1hN6Vbd
\nhxxp:\/\/bit.ly\/1mQ3XFu
\nhxxp:\/\/bit.ly\/17DJ4pZ
\nhxxp:\/\/bit.ly\/1ec2JNa
\nhxxp:\/\/bit.ly\/1fBY6d5<\/p>\n

W32.Casino PUA domains reconnaisance:<\/strong>
\nhxxp:\/\/rubyfortune.com – 78.24.211.177
\nhxxp:\/\/grandparkerpromo.com – 95.215.61.160
\nhxxp:\/\/kingneptunescasino1.com – 67.211.111.169
\nhxxp:\/\/riverbelle1.com – 193.169.206.233
\nhxxp:\/\/europacasino.com – 87.252.217.13
\nhxxp:\/\/vegaspartnerlounge.com – 66.212.242.136<\/p>\n

Sample detection rates for the W32\/Casino PUA:<\/strong>
\nMD5: b80db6ec0e6c968499ce01232fbfdc5c<\/strong><\/a> – detected by 3 out of 50 antivirus scanners as as W32\/Casino.P.gen!Eldorado
\nMD5: 8326886267203e07145f63adf2e8f0a1<\/strong><\/a> – detected by 3 out of 50 antivirus scanners as Heuristic.BehavesLike.Win32.Suspicious-DTR.S
\nMD5: a2a545adf4498e409f7971f326333333<\/strong><\/a> – detected by 3 out of 50 antivirus scanners as W32\/Casino.P.gen!Eldorado
\nMD5: 1cd6db7edbbc07d1c68968f584c0ac82<\/strong><\/a> – detected by 3 out of 49 antivirus scanners as W32\/Casino.P.gen!Eldorado<\/p>\n

Once executed the sample phones back to:<\/strong>
\nclatz.fileslldl.eu – 87.248.203.254<\/p>\n

Known to have been downloaded from the same IP (87.248.203.254) are also the following W32\/Casonline variants:<\/strong>
\nMD5: 06c6b0381cde4720a5204ac38a5f22b9
\nMD5: 1022bef242c7361866f7af512ec893e0
\nMD5: c1a6055f5d240d3681febc6bd77701eb
\nMD5: e5fd6aa437b3520f35337d2dd7139f9a
\nMD5: 6f6713077249800818f26b7469eaf175
\nMD5: 6ebdf6f7187effe7b52463cf7241297a
\nMD5: 6ed118798a19a5dbf63a9279f33e0542
\nMD5: 6b651437a4553b91139178a930247035
\nMD5: e1beeae4d07942c7fca6eea945c9bdcd
\nMD5: 6ab968f86300ca677e9700f7c2dee8be
\nMD5: 6a872111b70e401cf083a7d27b45a74e
\nMD5: f85fa2bb2dff0333650db371e323e962<\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these threats.<\/p>\n","protected":false},"excerpt":{"rendered":"

Regular readers of Webroot’s Threat Blog are familiar with our series of posts\u00a0detailing the proliferation of social engineering driven, privacy-violating campaigns serving W32\/Casino variants. Relying on affiliate based revenue sharing schemes\u00a0and\u00a0spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications. […]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[17385,17381,17389,17383,4811,3871,17387,11559,5257,16325,23177,4893,3875,5721,17391,5883,17395,17399,17393,23179],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16120"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=16120"}],"version-history":[{"count":16,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16120\/revisions"}],"predecessor-version":[{"id":25801,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16120\/revisions\/25801"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=16120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=16120"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=16120"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=16120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}