In order to steal secret information from businesses, a new data extortion gang has been breaking into the targets’ systems and threatening to release the files to the public unless the victims pay a ransom.
The group adopted the moniker Luna Moth and has been engaged in phishing efforts since at least March that distributed remote access tools (RAT) that facilitate business data theft.
Attack by phishing
The Luna Moth ransom organization has been monitored by the incident response team at cybersecurity firm Sygnia, who have noted that the actor is attempting to establish a reputation under the name Silent Ransom Group (SRG).
Sygnia stated in a study earlier this month that although the goal of Luna Moth (also tracked as TG2729) is to obtain sensitive information, its method of operation mimics that of a fraudster.
Luna Moth makes use of phishing tactics to accomplish it. The gang oversaw a significant campaign over the last three months that lured victims with phony membership emails into using Zoho, MasterClass, or Duolingo services.
Supposedly from one of the aforementioned services, victims would get a message warning them that their subscription was about to expire and would be automatically renewed, giving them 24 hours to execute the payment.
The phishing campaign’s brands are impersonated in the email addresses utilized by Luna Moth. The scam is clear when you look closely because the mails originate from Gmail accounts.
The email includes a false invoice as an attachment that includes a contact information for anyone who wants to find out more about the subscription or cancel it.
When the victim calls the number listed on the invoice, the con artist connects with them and gives them instructions on how to set up a remote access tool on the system.
Common techniques and tools
The tool they utilize and the modus operandi demonstrate that Luna Moth is not a highly skilled threat actor.
The gang, according to Sygnia, employs commercial remote desktop programs including Atera, AnyDesk, Synchro, and Splashtop.
For redundancy and persistence, the threat actors placed multiple RATs on the victim’s computer in many of the observed attacks, according to the researchers.
The threat actors also manually installed SoftPerfect Network Scanner, SharpShares, and Rclone, which together aid adversaries in network reconnaissance to find valuable files, pivoting, and data theft.
These tools have been used in the past by con artists who used false invoicing emails to entice victims into renewing their antivirus subscriptions.
According to Sygnia, the threat actors do not focus on particular victims. They use opportunistic attacks in which they seize whatever is available before extorting the victim.
However, the demands of the threat actor are rather high; according to analysts, Luna Moth may seek “millions of dollars in ransom.”
Utilized dozens of domains
Sygnia discovered that Luna Moth has been employing around 90 domain names as a component of their infrastructure or for hosting data from compromised firms despite their lack of sophistication.
Researchers discovered more than 40 phishing sites, all of which had names that resembled the impersonated brand, in this case Zoho, MasterClass, and Duolingo. The remainder served as servers for exfiltration.
Although ransomware attacks are frequently linked to extortion, it seems that acquiring confidential information without encrypting systems is evolving into a new technique to profit from business intrusions.
Researchers linked the Karakurt data extortion gang to the recently shut down Conti ransomware operation.