Proofpoint identified the large cybercrime actor TA575 distributing Dridex malware using Squid Game lures. The threat actor is purporting to be entities associated with the Netflix global phenomenon using emails enticing targets to get early access to a new season of Squid Game or to become a part of the TV show casting.

On October 27, 2021, Proofpoint observed thousands of emails targeting all industries primarily in the United States. The emails used subjects such as:

  • Squid Game is back, watch new season before anyone else.
  • Invite for Customer to access the new sesason. [sic]
  • Squid game new season commercials casting preview
  • Squid game scheduled season commercials talent cast schedule                                                                                                                

The emails tell the victim to fill out either an attached document to get early access to the new season of the show or a talent form to become part of the background casting. The attachments are Excel documents with macros that, if enabled, will download the Dridex banking trojan affiliate id “22203” from Discord URLs. Dridex is a prolific banking trojan distributed by multiple affiliates that can lead to data theft and installation of follow-on malware such as ransomware.

“Threat actors worldwide are continuing to target people with agile and relevant attacks. At Proofpoint we see 94% of cyberattacks starting via email, and more than 99% of those requiring human interaction to activate and enable the attack,” said Emile Abou Saleh, Regional Director, Middle East and Africa for Proofpoint. “In addition, Proofpoint’s recent regional research found that 70 % of CISOs/CSOs in the UAE believe that human error was one of the biggest risk factors for their organization. As these threats grow in scope and sophistication, it is critical that organizations and people alike shore up their defenses against email fraud by adopting cybersecurity software to protect themselves from threat actors. Companies need to remain alert and foster a strong security culture through effective and ongoing security awareness training. ” he concluded.

TA575 is a Dridex affiliate tracked by Proofpoint since late 2020. This group distributes malware via malicious URLs, Microsoft Office attachments, and password-protected files. On average, TA575 sends thousands of emails per campaign impacting hundreds of organizations. TA575 also uses the Discord content delivery network (CDN) to host and distribute Dridex. Discord, a communications platform with consumer and enterprise uses, is an increasingly popular malware hosting service for cybercriminals.

TA575 themes generally include invoicing and payments, but occasionally include popular news, events, and cultural references. Cybercriminal threat actors in general have pounced on Squid Game as a popular lure and malware theme. This makes sense; as Squid Game is Netflix’s “biggest ever” series, the pool of potential victims who would inadvertently interact with malicious content associated with it is higher than a general lure theme. TA575 is betting the invitation to be part of the upcoming season will entice more users to interact with the malicious Microsoft Excel file.

-Ends-

Send us your press releases to pressrelease.zawya@refinitiv.com

© Press Release 2021

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.