The significant cybercrime actor TA575 used squid Game lures to distribute Dridex malware, according to Proofpoint. The threat actor is posing as Netflix-related companies, sending emails inviting targets to receive early access to a new season of Squid Game or to be a part of the TV show casting process.
Proofpoint discovered thousands of emails targeting all industries, particularly in the United States, on October 27, 2021. Subjects in the emails included:
“Threat actors worldwide are continuing to target people with agile and relevant attacks. At Proofpoint, we see 94% of cyberattacks starting via email, and more than 99% of those requiring human interaction to activate and enable the attack,” said Emile Abou Saleh, Regional Director, Middle East and Africa for Proofpoint.
He added, “In addition, Proofpoint’s recent regional research found that 70 % of CISOs/CSOs in the UAE believe that human error was one of the biggest risk factors for their organization. As these threats grow in scope and sophistication, it is critical that organizations and people alike shore up their defenses against email fraud by adopting cybersecurity software to protect themselves from threat actors. Companies need to remain alert and foster a strong security culture through effective and ongoing security awareness training.” he concluded.
The emails instruct the recipient to either fill out an attached document to receive early access to the show’s upcoming season or a talent form to be considered for background casting. The attachments are Excel spreadsheets that, if activated, will download the Dridexbanking Trojan affiliate id”22203″ from Discord URLs. Dridex is a widely circulated banking trojan that can lead to data theft and the installation of further infections such as ransomware.
Proofpoint has been tracking TA575 as a Dridex affiliate since late 2020. Malicious URLs, Microsoft Office attachments, and password-protected files are all used by this organization to spread malware. TA575 sends thousands of emails per campaign, affecting hundreds of organizations on average. Dridex is also hosted and distributed by TA575 via the Discord content delivery network (CDN). Cybercriminals are increasingly using Discord, a messaging platform with consumer and commercial applications, as a virus hosting service.
Invoicing and payments are common TA575 subjects, but they can also incorporate popular news, events, and cultural references. Squid Game has become a popular lure and virus subject for cybercriminal threat actors in general. This makes sense; because Squid Game is Netflix’s “largest ever” series, the number of people who might unwittingly interact with malicious content linked with it is bigger than with a generic luring subject. The offer to participate in the future season, according to TA575, will tempt more users to connect with the malicious Microsoft Excel file.