Posted on October 31, 2021 at 5:50 PM
A large-scale hacking group known as TA575 has been discovered targeting major US industries through Squid Game-themed emails with laced attachments.
According to the report, the threat actors disguise the emails as coming from Netflix and pretend to provide early access to the show’s latest season. The hackers either ask the targets to fill in some information or open an attachment.
The emails are sent with like “Squid Game is back, watch new season before anyone else,” as the subject line. X
Cybersecurity firm Proofpoint explained that it discovered that the highly-technical cybercrime group took advantage of the popularity of Netflix’s hit “Squid Game” to deceive victims and spread the Dridex malware.
The Group Used Different Mail Headings To Deceive Victims
The security firm also said that TA575 sent emails to their targets and pretended to be someone working on the show.
The threat group also used other headings such as “Squid game schedule season commercials talent cast schedule,” and “Invite for Customers to access the new season.”
Proofpoint also noted that it discovered thousands of emails that use the luring strategy to target several industries in the U.S.
They send attachments along with the emails. Once the target was deceived and downloads the attachment, the Dridex banking Trojan is immediately delivered to the user’s system.
Vice president of threat detection and response at Proofpoint, Sherrod DeGrippo, stated that Dridex is a banking trojan used by threat actors to steal funds directly from the victim’s account.
Apart from its primary use, the trojan is also used as a malware loader that can help the threat actors achieve follow-up infections like a ransomware attack. This means Dridex can be used to gather information from the users and use the information to launch a ransomware attack.
Proofpoint has been tracking the TA575 group since last year. Researchers at the security team noted that the hackers generally distribute Dridex via password-protected files, Microsoft Office attachments, and malicious URLs.
The Group Operates Swaths Of The Cobalt Strike Servers
The threat actors use different strategies to lure victims to download documents or click on the links. According to their research, the group sends thousands of emails in a single campaign, which impacts hundreds of organizations. They also make use of the Discord content delivery network (CDN) to host and distribute Dridex.
According to Proofpoint researchers, threat actors are increasingly using Discord as a popular malware-hosting service for cybercriminals.
Cybersecurity expert and Chief Executive Officer of Archie Agarwal, ThreatModeler, commented on the activities of the threat actors. He noted that the group is made up of highly technical and prolific opportunists specializing in the Dridex malware. He stated that the threat actors also operate swaths of the Cobalt Strike servers.
The Threat Group Is Using Various Attacking Methods
Both the Cobalt Strike servers and the Dridex malware are examples of how threat actors can repurpose the work of others. According to Agarwal, although the threat actors were recently discovered, the Dridex trojan dates back as far as 2015, when it was popular for dealing with banking credential theft.
Senior manager of security solutions at Lookout, Hank Schless, stated that threat actors have used several attacking methods to steal sensitive data throughout the Covid-19 pandemic. He said these groups are using several hooks related to government aid or vaccine to deceive victims to unknowingly install malicious attachments.
Lookout also revealed that threat actors are actively targeting users via mobile channels using dating apps, gaming, social media apps, third-party messaging apps, and SMS. And one of the most interesting parts of the data is the fact that the TA575 threat group utilizes Discord CDN to host and plant the malware.
Lookout noted that the practice is very common, as the threat actors use legitimate servicers as an intermediary command and control server. The research team stated that the strategy is frequently seen with data storage platforms such as Dropbox. Lookout noted that threat actors generally because it help them hide from any detections, especially when the traffic looks legitimate.