The Luna Moth, also known as the Silent Ransom Group, has been active since March 2022 and has extorted hundreds of thousands of dollars from several victims in the legal and retail sectors. The attacks are notable for employing callback phishing or Telephone-oriented attack Delivery (TOAD).
The lure of recent Luna Moth campaigns is a phishing email with an invoice indicating that the recipient’s credit card has been charged for a service, typically under $1,000. The phishing email is personalized to the recipient, contains no malware, and is sent using a legitimate email service.
Attached to the email is a PDF file with a unique ID and phone number, often written with extra characters or formatting to prevent data loss prevention platforms from recognizing it. When recipients call the number, they’re routed to a Luna Moth-controlled call center and connected to a live agent. On the call, the victim is persuaded to download and run a remote support tool to allow the attacker to manage the victim’s computer. Having gained access, the attacker then downloads and installs a RAT that allows them to achieve persistence and find files for exfiltration. Do not ever download software from a voice on the telephone; this should be the first clue to any employee that something is wrong.
Researchers said the attacks are the "product of a single highly organized campaign," adding, "this threat actor has significantly invested in call centers and infrastructure unique to each victim." The investigators described the activity as a "pervasive multi-month campaign that is actively evolving."
What is interesting about callback phishing is that the email messages are devoid of malicious attachments or booby-trapped links, allowing them to evade detection and slip past email protection solutions. In reality, however, the victims are routed to an actor-controlled call center and connected to a live agent on the other end, who ends up installing a remote access tool for persistence.
The attacker will then seek to identify valuable information on the victim's computer and connected file shares. They will quietly exfiltrate it to a server they control using a file transfer tool. The campaign may be resource intensive but is technically less sophisticated and likely to have a much higher success rate than other phishing attacks. This attack enables extortion without encryption, permitting malicious actors to plunder sensitive data without the need to deploy ransomware to lock the files after exfiltration.
The Luna Moth actor has become an expert in pulling off such schemes. According to researchers, the cybercrime group is believed to be the mastermind behind the BazarCall attacks last year. To give these attacks an appearance of legitimacy, the adversaries, instead of dropping malware like BazarLoader, take advantage of legitimate tools like Zoho Assist to remotely interact with a victim's computer, abusing the access to deploy other trusted software such as Rclone or WinSCP for harvesting data.
Extortion demands range from two to 78 Bitcoin based on the organization targeted, with the threat actor creating unique cryptocurrency wallets for each payment. The adversary is also said to offer discounts of nearly 25% for prompt payment, although there is no guarantee that the data will be deleted. The threat actors behind this campaign have taken great pains to avoid all non-essential tools and malware to minimize the potential for detection. Since there are very few early indicators that a victim is under attack, employee cybersecurity awareness training is the first line of defense.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
• Reporting: https://www. redskyalliance. org/
• Website: https://www. wapacklabs. com/
• LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments