TA516
Description
(Proofpoint) This actor typically distributes instances of the SmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actor’s choice — often banking Trojans. Figure 3 shows a lure document from a November campaign in which TA516 distributed fake resumes with malicious macros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In this instance, we observed SmokeLoader downloading a Monero coinminer. Since the middle of 2017, TA516 has used similar macro-laden documents as well as malicious JavaScript hosted on Google Drive to distribute both Panda Banker and a coinminer executable via SmokeLoader, often in the same campaigns.
Names
| Name | Name-Giver |
|---|---|
| TA516 | Proofpoint |
| SmokingDro | Proofpoint |
Country
Motivation
- Financial crime
- Financial gain
First Seen
2016
Observed Countries
Tools
Operations
- 2016-07: Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan
- 2018-07: New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside
- 2019-11: New AZORult campaign abuses popular VPN service to steal cryptocurrency https://www.kaspersky.com/about/press-releases/2020_new-azorult-campaign-abuses-popular-vpn-service-to-steal-cryptocurrency
- 2020-02: AZORult Campaign Adopts Novel Triple-Encryption Technique https://threatpost.com/azorult-campaign-encryption-technique/152508/
- 2020-02: AZORult spreads as a fake ProtonVPN installer https://securelist.com/azorult-spreads-as-a-fake-protonvpn-installer/96261/
Information
Other Information
Uuid
24184e42-b04f-4878-8fd3-e53acf7526f2
Last Card Change
2023-01-01