Analysts observed thousands of emails targeting all industries primarily in the United States. The emails used subjects such as:
Squid Game is back, watch new season before anyone else.
Invite for Customer to access the new sesason. [sic]
Squid game new season commercials casting preview
Squid game scheduled season commercials talent cast schedule
The emails tell the victim to fill out either an attached document to get early access to the new season of the show or a talent form to become part of the background casting.
The attachments are Excel documents with macros that, if enabled, will download the Dridex banking trojan affiliate id “22203” from Discord URLs. Dridex is a prolific banking trojan distributed by multiple affiliates that can lead to data theft and installation of follow-on malware such as ransomware.
TA575 is a Dridex affiliate that distributes malware via malicious URLs, Microsoft Office attachments, and password-protected files. On average, TA575 sends thousands of emails per campaign impacting hundreds of organizations. TA575 also uses the Discord content delivery network (CDN) to host and distribute Dridex. Discord, a communications platform with consumer and enterprise uses, is an increasingly popular malware hosting service for cybercriminals.
TA575 themes generally include invoicing and payments, but occasionally include popular news, events, and cultural references. Cybercriminal threat actors in general have pounced on Squid Game as a popular lure and malware theme.
This makes sense; as Squid Game is Netflix’s “biggest ever” series, the pool of potential victims who would inadvertently interact with malicious content associated with it is higher than a general lure theme. TA575 is betting the invitation to be part of the upcoming season will entice more users to interact with the malicious Microsoft Excel file.
Sign Up For Threat Alerts
Jul 04, 2023
Rhysida Ransomware RaaS Crawls Out of Crimeware...
The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...
Jun 26, 2023
Operation Magalenha – Long-Running Campaign Pursues Portuguese...
The attackers can steal credentials and exfiltrate users' data and personal information, which can be...
Apr 24, 2023
Lazarus Group Adds Linux Malware to Arsenal...
Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...
Apr 23, 2023
Additional IOCs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.
Apr 23, 2023
Ex-Conti and FIN7 Actors Collaborate with New...
IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...
Apr 20, 2023
AuKill EDR killer malware abuses Process Explorer...
The AuKill tool abuses an outdated version of the driver used by version 16.32 of...
Apr 20, 2023
Fake Chrome updates spread malware
A campaign running since the end of last year is using hacked sites to push...
Apr 20, 2023
QBot using new attack vector in its...
QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...
Apr 20, 2023
CrossLock Ransomware Emerges: New Golang – Based...
The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...
Apr 20, 2023
Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...
A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
APT36 Expands Interest Within Indian Education Sector
Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...
Apr 17, 2023
ChinaZ DDoS Bot Malware Distributed To Linux...
The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...
Apr 16, 2023
Resurgence Of The Mexals Cryptojacking Campaign
The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...