| SYMBOL | COMMON_NAME | aka. SYNONYMS |
This actor typically distributes instances of the SmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actor’s choice -- often banking Trojans. Figure 3 shows a lure document from a November campaign in which TA516 distributed fake resumes with malicious macros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In this instance, we observed SmokeLoader downloading a Monero coinminer. Since the middle of 2017, TA516 has used similar macro-laden documents as well as malicious JavaScript hosted on Google Drive to distribute both Panda Banker and a coinminer executable via SmokeLoader, often in the same campaigns.
There are currently no families associated with this actor.
| 2020-07-08
⋅
ThaiCERT
⋅
Threat Group Cards: A Threat Actor Encyclopedia TA516 TA547 TA554 TA555 |