ETDA ThaiCERT
Report
Search
Home > List all groups > TA516

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: TA516

NamesTA516 (Proofpoint)
Country[Unknown]
MotivationFinancial crime, Financial gain
First seen2016
Description(Proofpoint) This actor typically distributes instances of the SmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actor’s choice -- often banking Trojans. Figure 3 shows a lure document from a November campaign in which TA516 distributed fake resumes with malicious macros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In this instance, we observed SmokeLoader downloading a Monero coinminer. Since the middle of 2017, TA516 has used similar macro-laden documents as well as malicious JavaScript hosted on Google Drive to distribute both Panda Banker and a coinminer executable via SmokeLoader, often in the same campaigns.
ObservedCountries: Worldwide.
Tools usedAZORult, Chthonic, Smoke Loader, Zeus Panda.
Operations performedJul 2016Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
<https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan>
Jul 2018New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
<https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside>
Nov 2019New AZORult campaign abuses popular VPN service to steal cryptocurrency
<https://www.kaspersky.com/about/press-releases/2020_new-azorult-campaign-abuses-popular-vpn-service-to-steal-cryptocurrency>
Feb 2020AZORult Campaign Adopts Novel Triple-Encryption Technique
<https://threatpost.com/azorult-campaign-encryption-technique/152508/>
Feb 2020AZORult spreads as a fake ProtonVPN installer
<https://securelist.com/azorult-spreads-as-a-fake-protonvpn-installer/96261/>
Information<https://www.proofpoint.com/us/threat-insight/post/dialing-dollars-coinminers-appearing-malware-components-standalone-threats>

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: Smoky Spider
Next: TA554

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key