Proofpoint discovered evidence of a prominent cybercrime gang spreading the Dridex malware utilizing the popularity of Netflix’s blockbuster “Squid Game.”
Proofpoint stated in a blog post that TA575, a “major cybercrime actor,” has sent emails posing as someone from the show, pushing users to download harmful files or fill out forms with personal information.
The emails have subject lines that state stuff like: “Squid Game is back, watch new season before anyone else,” “Invite for Customer to access the new season,” “Squid game new season commercials casting preview,” and “Squid game scheduled season commercials talent cast schedule.”
Proofpoint said it discovered hundreds of emails that used the lures and targeted a number of companies in the United States. Some of the emails try to entice victims by claiming that if they download and fill out a form, they would be able to appear on the show.
“The attachments are Excel documents with macros that, if enabled, will download the Dridex banking trojan affiliate id ‘22203’ from Discord URLs,” Proofpoint researchers Axel F and Selena Larson wrote.
Dridex, according to Sherrod DeGrippo, vice president of threat detection and response at Proofpoint, is a banking trojan that siphons money directly from the victim’s bank account.
“But Dridex is also used for information gathering or as a malware loader that can lead to follow-on infections such as ransomware,” DeGrippo added.
Since late 2020, Proofpoint has been watching TA575, saying that the organization often spreads Dridex via “malicious URLs, Microsoft Office attachments, and password-protected files.” The gang employs a number of enticements to get victims to click on links or download documents, frequently parodying pop culture or using invoice-related terminology in emails.
“On average, TA575 sends thousands of emails per campaign impacting hundreds of organizations. TA575 also uses the Discord content delivery network (CDN) to host and distribute Dridex,” the Proofpoint researchers said, adding that Discord has become a “popular malware-hosting service for cybercriminals.”
According to ThreatModeler CEO Archie Agarwal, the TA575 criminal cell is made up of prolific, financially driven opportunists that specialize in Dridex malware and run large tracts of Cobalt Strike servers.
Both the Dridex malware and the Cobalt Strike servers are examples of recycling other people’s work, according to Agarwal, who said that Dridex was first discovered in 2015 and was recognized for specializing in banking credential theft.
Lookout senior manager of security solutions Hank Schless stated that during the COVID-19 epidemic, fraudsters used a number of hooks relating to the vaccination or government help as bait for emails with malicious attachments.
Threat actors are extensively targeting consumers via mobile channels such as SMS, social networking platforms, third-party messaging applications, games, and even dating apps, according to Lookout data. He went on to say that one of the most intriguing aspects of the research is that TA575 hosts and distributes the malware using the Discord CDN.
“This practice of using legitimate services as an intermediary command and control server is becoming more common. We frequently see it with data storage platforms like Dropbox as well. Attackers do this because it may help them slip by any detections more easily if the traffic looks legitimate,” Schless said.