TA575 Criminal Group Using ‘Squid Game’ Lures For Dridex Malware


Proofpoint discovered evidence of a prominent cybercrime gang spreading the Dridex malware utilizing the popularity of Netflix’s blockbuster “Squid Game.”


Proofpoint stated in a blog post that TA575, a “major cybercrime actor,” has sent emails posing as someone from the show, pushing users to download harmful files or fill out forms with personal information.


The emails have subject lines that state stuff like: “Squid Game is back, watch new season before anyone else,” “Invite for Customer to access the new season,” “Squid game new season commercials casting preview,” and “Squid game scheduled season commercials talent cast schedule.”

Proofpoint said it discovered hundreds of emails that used the lures and targeted a number of companies in the United States. Some of the emails try to entice victims by claiming that if they download and fill out a form, they would be able to appear on the show.


“The attachments are Excel documents with macros that, if enabled, will download the Dridex banking trojan affiliate id ‘22203’ from Discord URLs,” Proofpoint researchers Axel F and Selena Larson wrote. 


Dridex, according to Sherrod DeGrippo, vice president of threat detection and response at Proofpoint, is a banking trojan that siphons money directly from the victim’s bank account.


“But Dridex is also used for information gathering or as a malware loader that can lead to follow-on infections such as ransomware,” DeGrippo added. 


Since late 2020, Proofpoint has been watching TA575, saying that the organization often spreads Dridex via “malicious URLs, Microsoft Office attachments, and password-protected files.” The gang employs a number of enticements to get victims to click on links or download documents, frequently parodying pop culture or using invoice-related terminology in emails.


“On average, TA575 sends thousands of emails per campaign impacting hundreds of organizations. TA575 also uses the Discord content delivery network (CDN) to host and distribute Dridex,” the Proofpoint researchers said, adding that Discord has become a “popular malware-hosting service for cybercriminals.” 


According to ThreatModeler CEO Archie Agarwal, the TA575 criminal cell is made up of prolific, financially driven opportunists that specialize in Dridex malware and run large tracts of Cobalt Strike servers.


Both the Dridex malware and the Cobalt Strike servers are examples of recycling other people’s work, according to Agarwal, who said that Dridex was first discovered in 2015 and was recognized for specializing in banking credential theft.


Lookout senior manager of security solutions Hank Schless stated that during the COVID-19 epidemic, fraudsters used a number of hooks relating to the vaccination or government help as bait for emails with malicious attachments.


Threat actors are extensively targeting consumers via mobile channels such as SMS, social networking platforms, third-party messaging applications, games, and even dating apps, according to Lookout data. He went on to say that one of the most intriguing aspects of the research is that TA575 hosts and distributes the malware using the Discord CDN.

“This practice of using legitimate services as an intermediary command and control server is becoming more common. We frequently see it with data storage platforms like Dropbox as well. Attackers do this because it may help them slip by any detections more easily if the traffic looks legitimate,” Schless said.


IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.