A new report today from Department 42 of Palo Alto Networks Inc. describes the alarming rise of a ransomware group that has invested in call centers and infrastructure to target individual victims.
Luna Moth, also known as the Silent Ransom Group, has been active since March, starting a campaign to disrupt organizations with fake subscription renewals. The group uses phishing campaigns that provide remote access tools to enable the theft of corporate data. Having stolen confidential data, the group threatens to make the files publicly available unless a ransom is paid.
Unit 42 researchers have identified several common indicators that indicate these attacks are the product of a highly organized campaign. Luna Moth has also invested heavily in call centers and infrastructure unique to each victim to take their attacks to the next level.
Luna Moth engages in callback phishing, a social engineering attack that requires the threat to interact with the target to achieve its goals. The attack style requires more resources but is less complex than script-based attacks and is said to have a much higher success rate.
Callback phishing, also known as phone-centric attack delivery, is nothing new. The infamous Conti group has used the method before. However, Luna Moth has evolved in that it has removed the malware part of the attack, instead using legitimate and trusted system management tools to interact directly with the victim’s computer to exfiltrate data to be used to manually extortion. By using legitimate tools, Luna Moth can ensure that activity is not detected as malicious and is therefore unlikely to be flagged by traditional security products.
The lure of recent Luna Moth campaigns is a phishing email with an invoice showing that the recipient’s credit card has been charged for a service, usually under $1,000. The phishing email is personalized to the recipient, contains no malware, and is sent via a legitimate email service.
Attached to the email is a PDF file with a unique identifier and phone number, often written with extra characters or formatted to prevent recognition by data loss prevention platforms. When recipients call the number, they are directed to a call center controlled by Luna Moth and connected to a live agent.
In the call, the victim is convinced to download and run a remote support tool to allow the attacker to control the victim’s computer. Once gained access, the attacker downloads and installs a RAT that allows them to achieve resilience and find files to exfiltrate.
“Thus, the threat is able to compromise an organization’s assets through a socially engineered attack against an individual,” the researchers explain. “Once the data is stolen, the attacker sends an extortion email demanding victims pay a fee or else the attacker will release the stolen information.”
Because the threat goes to great lengths to avoid all nonessential tools and malware to minimize the potential for detection, Unit 42 researchers say employee cybersecurity awareness training is the first line of defense. The researchers conclude that they expect callback phishing attacks to grow in popularity due to the low cost per target, low risk of detection, and rapid monetization.