Luna Moth Ransomware Employs Callback Phishing

Palo Alto Network’s Unit 42 details the disturbing rise of a ransomware group Luna Moth, (aka) the Silent Ransom Group that has invested in call centers and infrastructure to target individual victims.

It starts its campaign with a breach that uses fake subscription renewals. The group used phishing campaigns that deliver remote-access tools to enable corporate data theft. It will threaten the victim with ransom and if not paid it will leak the data

This ransomware engages in callback phishing (telephone-oriented attack delivery), a social engineering attack that requires a threat actor to interact with the target to accomplish its objectives. The attack style is more resource-intensive but less complex than script-based attacks and is said to have a much higher success rate.

Luna Moth uses legitimate tools to ensure the activity isn’t detected as malicious and hence unlikely to be flagged by traditional security products.

Recent campaigns are a phishing email with an invoice indicating that the recipient’s credit card has been charged for a service, typically under $1,000. The phishing email is personalized to the recipient, contains no malware, and is sent using a legitimate email service.

Attached to the email is a PDF file with a unique ID and phone number, often written with extra characters or formatting to prevent data loss prevention platforms from recognizing it. When recipients call the number, they’re routed to a Luna Moth-controlled call center and connected to a live agent.

On the call, the victim is persuaded to download and run a remote support tool to allow the attacker to manage the victim’s computer. Having gained access, the attacker then downloads and installs a RAT that allows them to achieve persistence and find files for exfiltration.

To prevent these type of social engineering attacks, employee cybersecurity awareness training is the first line of defense. The researchers conclude that they expect callback phishing attacks to increase in popularity thanks to the low per-target cost, low risk of detection and fast monetization.

Indicators of Compromise