CYBERCRIME GANG TA575 CAPITALIZES ON SQUID GAME PHENOMENON
Squid Game? The Netflix megahit is taking the world by storm! I may be the only person who hasn’t watched it yet, but the premise is intriguing. In this South Korean drama, downtrodden contestants compete in children’s games where winners cash in and losers are executed. Squid Game became an instant hit for Netflix, already projected to smash records and become Netflix’s biggest show ever. Squid Game is obviously one of those shows with crazed fans around the world who can’t get enough of the drama, and their obsession with the show seems to spill over into real life. In fact, Netflix was forced to edit out scenes revealing the real-life phone number of a dessert shop owner in South Korea after the woman announced she was slammed with thousands of prank calls and texts about Squid Game. Netflix isn’t the only enterprise capitalizing on the popularity of Squid Game. Not to miss out on an opportunity themselves, a cybercrime gang known as TA575 has been identified distributing Dridex malware via Squid Game phishing lures. Using Squid Game as a lure to entice potential victims is a departure from how TA575 normally operates. TA575 typically uses social engineering tactics of authority and urgency as phishing bait with fake invoices and payment statements. However, TA575 and other cybercriminal groups have seized upon an opportunity to capitalize on the Squid Game phenomenon.
Here is how the scam works. TA575 threat actors send massive quantities of phishing emails claiming to be affiliated with Squid Game or Netflix. The emails are designed to entice victims by offering early access to the new season of Squid Game or roles as extras or background talent on the TV show. Emails from TA575 with Squid Game themes are targeting nearly every industry in the United States, due largely to the success of the Netflix hit show.
The phishing email will request for you to fill out an attached Excel document to get early access to the new season or to apply to become part of the show. The attachment is a Microsoft Office Excel document containing a malicious macro. Once enabled, the macro will download the Dridex trojan from a Discord URL. TA575 uses Discord, a legitimate and popular communications platform, to host and distribute Dridex. In fact, many hacking groups are using the Discord platform as a malware hosting service nowadays. Dridex is a popular banking trojan distributed by numerous threat actors and typically leads to additional malware, data theft, and ransomware.
The threat of subsequent ransomware such as DoppelPaymer again emphasizes the need for early detection and remediation of Dridex in any environment. However, prevention is always the best solution for cyberattacks beginning with a Dridex infection, including security awareness training and improved filtering of emails to prevent delivery of phishing emails targeting Squid Game fans!