Posted inSecurity

Proofpoint: TA575 using ‘Squid Game’ lures to distribute malware

Proofpoint: TA575 uses Squid Game lures to distribute Dridex malware, links sent via email promising early access to additional content and a new season.

by Louis Parks
Proofpoint report reveals Emotet’s growing global footprint, also targeting Middle East
by Louis Parks

Cybersecurity firm Proofpoint has discovered the large cybercrime actor TA575 using Squid Game lures to distribute Dridex malware. The threat actor pretends to be entities associated with the Netflix show and uses emails promising early access to a new season of the show and chances to become part of the cast.

Capitalising on the hit show

In late October, Proofpoint discovered thousands of emails targeting industries primarily in the United States. The subject lines were as follows:

  • Squid Game is back, watch new season before anyone else.
  • Invite for Customer to access the new sesason.[sic]
  • Squid game new season commercials casting preview
  • Squid game scheduled season commercials talent cast schedule

The emails instruct the target to complete either an attached document to get early access to the new season of the show, or an application to become part of the background casting. The attachments are Excel documents with macros that, if enabled, download the Dridexbanking Trojan affiliate id “22203” from Discord URLs. Dridex is a widespread banking trojan that allows for data theft and installation of additional malware.

Netflix Squid Game email lure inviting targets to get early access to a new season
Netflix Squid Game email lure soliciting actors and background talent to apply to be on the show or show commercials

Widespread attacks

“Threat actors worldwide are continuing to target people with agile and relevant attacks. At Proofpoint we see 94% of cyberattacks starting via email, and more than 99% of those requiring human interaction to activate and enable the attack,” said Emile Abou Saleh, Regional Director, Middle East and Africa for Proofpoint. “In addition, Proofpoint’s recent regional research found that 70 % of CISOs/CSOs in the UAE believe that human error was one of the biggest risk factors for their organisation.”

TA575 sends thousands of emails per campaign and is now using the Discord content delivery network to host and distribute Dridex. Discord, a communications platform with consumer and enterprise uses, is an increasingly popular malware hosting service for cybercriminals.

TA575 themes generally include invoicing and payments, but occasionally include popular news, events, and cultural references. TA575 using Squid Game lures was predictable, given the show’s huge levels of success.