Search This Blog

Rise of Luna Moth’s Malware-Free Extortion Campaign

Luna Moth attacks victims across the globe using phishing and legitimate tools to steal data and extract a ransom.


A group of security researchers has discovered that a threat actor has managed to extort hundreds of thousands of dollars from mostly small and midsized businesses over the last few months without using any encryption tools or malware. 

A group of attackers, known as Luna Moth (also called the "Silent" ransomware group), has been using an array of legitimate tools and a method of extortion known as "call-back phishing" to target victims. Later, they use sensitive data as leverage over them to take control of their finances.

Targeted attacks 

In a report published by Palo Alto Network's Unit 42 on Monday, researchers said that in the past, the adversary has primarily targeted smaller legal firms, but in recent times, it has begun moving after larger retailers as well, according to the report. There is evidence that the threat actor's tactics have evolved over the last few years, suggesting that they have become more efficient. According to a security vendor, this means that it now poses a danger to every organization, regardless of its size.

As a senior threat researcher at Palo Alto Networks and a threat researcher with Unit 42, Kristopher Russo is finding that this tactic is widely used to target businesses of all sizes, from large retailers to small and medium-sized law firms. "Because social engineering targets individuals, the size of the company does not offer much protection", said Kristopher Russo. 

Call-Back Phishing 

Call-back phishing is a tactic that security researchers first observed being used by the Conti ransomware over a year ago in a campaign to install BazarLoader malware on their targets' systems. 

The scam starts with an adversary sending a phishing email to a specific, targeted individual at a victim organization. The phishing email is custom-made for the recipient. It originates from a legitimate email service and involves some kind of lure to get the user to initiate a phone call with the attacker. 

In the Luna Moth incidents that Unit 42 researchers observed, the phishing email contained an invoice in the form of a PDF file for a subscription service in the recipient's name. The attackers inform the victim that the subscription will soon be active and billed to the credit card on file. The email provides a phone number to a purported call center — or sometimes multiple numbers, that users can call if they have questions about the invoice. Some of the invoices have logos of well-known companies on top of the page. 

"This invoice even includes a unique tracking number used by the call center," Russo says. "So, when the victim calls the number to dispute the invoice, they look like a legitimate business." The attackers then convinced users who called to initiate a remote session with them using the Zoho Assist virtual support tool. Once the victim is connected to the remote session, the attacker takes control of the victim's keyboard and mouse. He enables access to the clipboard, and blanks out the user's screen, Unit 42 said. 

After the attackers have accomplished that, their next step is to install legitimate Syncro remote support software for maintaining persistence on the victim's machine. They have also deployed other legit tools such as Rclone or WinSCP to steal data from it. Security tools rarely flag these products as suspicious because administrators have legitimate use cases for them in an environment. 

In previous attacks, the adversaries installed multiple remote monitoring and management tools such as Atera and Splashtop on victim systems. However, lately, they appear to have whittled down their toolkit, Unit 42 said. 

If a victim does not have administrative rights on their system, the attacker eschews any attempt to persist on it. Instead, he proceeds straight to stealing data by leveraging WinSCP Portable.

"In cases where the attacker established persistence, exfiltration occurred hours to weeks after initial contact. Otherwise, the attacker only took what they could during the call," Unit 42 said in its report. 

Russo, who is the CEO of Russo Technologies, Inc., believes that the invoice even includes a tracking number that is used by the call center. As a result, when a victim telephones the number to dispute an invoice, it appears to be a legitimate company. 

A user who called was then convinced to engage in a remote session with the attackers via the Zoho Assist virtual support tool after they had been warned. The attackers will take control of the victim's keyboard and mouse as soon as he is connected to the remote session. It has been reported by Unit 42 that the threat actor also blanks the screen of the user after enabling access to the clipboard. 

Having obtained the victim's system credentials, the attackers then proceeded to install official Syncro remote support software on the victim's device. This was necessary to maintain persistence on their host machine. Additionally, a couple of other legitimate tools have been used to steal data from this computer, such as Rclone and WinSCP. Since administrators have legitimate reasons for using these products in their environments, these products are rarely flagged as suspicious by security tools. 

There were initially multiple monitoring and management tools installed on victims' computers by the adversaries, such as Atera and Splashtop, during the initial attacks. Despite this, Unit 42 reported that it appears they have been whittling down their tool set as of late. 

Any attempt by the attacker to persist on a system without administrative rights will be blocked if the victim does not have administrative rights on the system. Rather, what he does is directly access WinSCP Portable and use that to steal data directly from the computer. 

Depending on the circumstances, a persistent attacker may be able to exfiltrate the victim after hours or even weeks after initial contact. If the attacker does not establish persistence, exfiltration may take place after a few days or even weeks after initial contact, Unit 42 reported. 

Applying the Most Pressure 

According to Russo, the Luna Moth group usually looks for data that, when used appropriately, will pose the greatest pressure on their victims with the least amount of risk. A deep understanding of the legal industry was evident from the attacker's targeting of law firms. A person with knowledge of computer science could easily distinguish which data would be harmful if misused. 

Ruso describes Unit 42 as working on cases in which the law firm's sensitive and confidential data had been targeted by hackers. A sample of the most damaging data they stole was included in the extortion email that attackers sent out after reviewing the data they had stolen. 

There have been many attacks in which the adversary changed the victim's biggest clients by name and threatened to contact them directly if the victim organization did not pay the demanded ransom - which could range anywhere from 2 to 78 Bitcoins in some cases. 

According to the investigations carried out by Unit 42, the attackers in the cases where they gained access to the victim's computer did not move laterally once they obtained access. Although, Russo points out that the organization does continually monitor the compromised computer if the victim has admin credentials - even venturing so far as to telephone victims and taunt them if they notice remedial efforts have been made. 

Among the first to report on Luna Moth's activities, Sygnia described Luna Moth as surfacing most likely in March, according to one of its reports. In addition to using commercially available remote access tools, including Atera, Splashtop, and Syncro, as well as AnyDesk for persistence, the security vendor said that it had observed the threat actor working with commercially available remote access tools. Researchers from Sygnia said that in addition to the SoftPerfect network scanner, Sygnia observed that the threat actor was also using a third-party tool called SharpShares for network enumeration and a fourth tool called SharpShares for reconnaissance during their investigation. According to Sygnia, the attackers have included spoof names in the names of the tools they have stored on compromised systems to disguise them as legitimate binaries. 

According to Russo, the threat actor whose actions are being targeted is only concerned with minimizing their digital footprint to circumvent most technical security controls. 

Unit 42 said that since the attackers relied completely on social engineering to conduct the campaign and legitimate tools to execute it, there were few artifacts left behind following the attack. To be able to safeguard themselves against this new threat, Russo said his organization recommends that organizations of all sizes conduct security awareness training for their employees.
Share it:

Cyber Attacks

Luna Moth

Unit 42