

A new report today from Palo Alto Networks Inc.’s Unit 42 details the disturbing rise of a ransomware group that has invested in call centers and infrastructure to target individual victims.
Luna Moth, also known as the Silent Ransom Group, has been active since March, starting with a campaign that breaches organizations with fake subscription renewals. The group used phishing campaigns that deliver remote-access tools to enable corporate data theft. Having stolen confidential data, the group threatens to make files publicly available unless a ransom is paid.
The Unit 42 researchers have identified several common indicators implying that these attacks are the product of a single highly organized campaign. Luna Moth has also significantly invested in call centers and infrastructure unique to each victim, to take their attacks to the next level.
Luna Moth is engaging in callback phishing, a social engineering attack that requires a threat actor to interact with the target to accomplish its objectives. The attack style is more resource-intensive but less complex than script-based attacks and is said to have a much higher success rate.
Callback phishing, also known as telephone-oriented attack delivery, isn’t new. The infamous Conti group has used the method previously. Luna Moth, however, has evolved in that it has done away with the malware portion of the attack, instead using legitimate and trusted system management tools to interact directly with a victim’s computer to exfiltrate data to be used for extortion manually. By using legitimate tools, Luna Moth can ensure the activity isn’t detected as malicious and hence unlikely to be flagged by traditional security products.
The lure of recent Luna Moth campaigns is a phishing email with an invoice indicating that the recipient’s credit card has been charged for a service, typically under $1,000. The phishing email is personalized to the recipient, contains no malware and is sent using a legitimate email service.
Attached to the email is a PDF file with a unique ID and phone number, often written with extra characters or formatting to prevent data loss prevention platforms from recognizing it. When recipients call the number, they’re routed to a Luna Moth-controlled call center and connected to a live agent.
On the call, the victim is persuaded to download and run a remote support tool to allow the attacker to manage the victim’s computer. Having gained access, the attacker then downloads and installs a RAT that allows them to achieve persistence and find files for exfiltration.
“In this way, the threat actor is able to compromise organizational assets through a social engineering attack on an individual,” the researchers explain. “After the data is stolen, the attacker sends an extortion email demanding victims pay a fee or else the attacker will release the stolen information.”
Since the threat actor takes great pains to avoid all nonessential tools and malware to minimize the potential for detection, the Unit 42 researchers say, employee cybersecurity awareness training is the first line of defense. The researchers conclude that they expect callback phishing attacks to increase in popularity thanks to the low per-target cost, low risk of detection and fast monetization.
Support our open free content by sharing and engaging with our content and community.
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.