Luring Squid 🐙 Game Installs Dridex

Evidence of a prolific cybercrime group using the popularity of Netflix hit “Squid Game” to spread the Dridex malware in to limelight urging people to download malicious attachments or fill out forms with sensitive information.

The emails come with subject lines saying things like: “Squid Game is back, watch new season before anyone else,” “Invite for Customer to access the new season,” “Squid game new season commercials casting preview,” and “Squid game scheduled season commercials talent cast schedule.”

The attachments are Excel documents with macros that, if enabled, will download the Dridex banking trojan affiliate id ‘22203’ from Discord URLs,”. But Dridex is also used for information gathering or as a malware loader that can lead to follow-on infections such as ransomware.

TA575 typically distributes Dridex through “malicious URLs, Microsoft Office attachments, and password-protected files.” The gang uses a variety of lures to get victims to click on links or download documents, often playing off of pop culture or deploying invoice related language in emails.

On average, TA575 sends thousands of emails per campaign impacting hundreds of organizations. TA575 also uses the Discord content delivery network (CDN) to host and distribute Dridex,

TA575 criminal group is made up of prolific, financially motivated opportunists who specialize in Dridex malware and operate swaths of Cobalt Strike servers. Both the Dridex malware and Cobalt Strike servers are examples of repurposing the work of others.

Using legitimate services as an intermediary command and control server is becoming more common. We frequently see it with data storage platforms like Dropbox as well. Attackers do this because it may help them slip by any detections more easily if the traffic looks legitimate