Luna Moth, also known as the Silent Ransom Group, has been active since March, starting with a campaign that breaches organizations with fake subscription renewals. The group used phishing campaigns that deliver remote-access tools to enable corporate data theft. Having stolen confidential data, the group threatens to make files publicly available unless a ransom is paid.
The Unit 42 researchers have identified several common indicators implying that these attacks are the product of a single highly organized campaign. Luna Moth has also significantly invested in call centers and infrastructure unique to each victim, to take their attacks to the next level.
Luna Moth is engaging in callback phishing, a social engineering attack that requires a threat actor to interact with the target to accomplish its objectives. The attack style is more resource-intensive but less complex than script-based attacks and is said to have a much higher success rate.
Callback phishing, also known as telephone-oriented attack delivery, isn’t new. The infamous Conti group has used the method previously. Luna Moth, however, has evolved in that it has done away with the malware portion of the attack, instead using legitimate and trusted system management tools to interact directly with a victim’s computer to exfiltrate data to be used for extortion manually. By using legitimate tools, Luna Moth can ensure the activity isn’t detected as malicious and hence unlikely to be flagged by traditional security products.
The lure of recent Luna Moth campaigns is a phishing email with an invoice indicating that the recipient’s credit card has been charged for a service, typically under $1,000. The phishing email is personalized to the recipient, contains no malware and is sent using a legitimate email service.
Attached to the email is a PDF file with a unique ID and phone number, often written with extra characters or formatting to prevent data loss prevention platforms from recognizing it. When recipients call the number, they’re routed to a Luna Moth-controlled call center and connected to a live agent.
On the call, the victim is persuaded to download and run a remote support tool to allow the attacker to manage the victim’s computer. Having gained access, the attacker then downloads and installs a RAT that allows them to achieve persistence and find files for exfiltration.
“In this way, the threat actor is able to compromise organizational assets through a social engineering attack on an individual,” the researchers explain. “After the data is stolen, the attacker sends an extortion email demanding victims pay a fee or else the attacker will release the stolen information.”
Since the threat actor takes great pains to avoid all nonessential tools and malware to minimize the potential for detection, the Unit 42 researchers say, employee cybersecurity awareness training is the first line of defense. The researchers conclude that they expect callback phishing attacks to increase in popularity thanks to the low per-target cost, low risk of detection and fast monetization.