October 4, 2023

Palo Alto Network’s Unit 42 details the disturbing rise of a ransomware group Luna Moth, (aka) the Silent Ransom Group that has invested in call centers and infrastructure to target individual victims.

It starts its campaign with a breach that uses fake subscription renewals. The group used phishing campaigns that deliver remote-access tools to enable corporate data theft. It will threaten the victim with ransom and if not paid it will leak the data

This ransomware engages in callback phishing (telephone-oriented attack delivery), a social engineering attack that requires a threat actor to interact with the target to accomplish its objectives. The attack style is more resource-intensive but less complex than script-based attacks and is said to have a much higher success rate.

Advertisements

Luna Moth uses legitimate tools to ensure the activity isn’t detected as malicious and hence unlikely to be flagged by traditional security products.

Recent campaigns are a phishing email with an invoice indicating that the recipient’s credit card has been charged for a service, typically under $1,000. The phishing email is personalized to the recipient, contains no malware, and is sent using a legitimate email service.

Attached to the email is a PDF file with a unique ID and phone number, often written with extra characters or formatting to prevent data loss prevention platforms from recognizing it. When recipients call the number, they’re routed to a Luna Moth-controlled call center and connected to a live agent.

On the call, the victim is persuaded to download and run a remote support tool to allow the attacker to manage the victim’s computer. Having gained access, the attacker then downloads and installs a RAT that allows them to achieve persistence and find files for exfiltration.

To prevent these type of social engineering attacks, employee cybersecurity awareness training is the first line of defense. The researchers conclude that they expect callback phishing attacks to increase in popularity thanks to the low per-target cost, low risk of detection and fast monetization.

Advertisements

Indicators of Compromise

DomainIP Address
dictumst.xyz23.254.229.90
tincidunt.xyz192.119.110.47
deserunt.xyz192.119.110.22
mczoho.com192.119.111.25
masterzohoclass.com192.236.178.3
zohocook.com192.236.177.251
molestie.xyz192.236.193.152
adipiscing.xyz192.236.193.150
fringilla.xyz192.236.193.148
volutpat.xyz192.236.193.151
ultrices.xyz192.236.193.149
cookwithzoho.com192.236.193.141
cookingbyzoho.com192.236.193.140
massay.xyz192.236.177.20
masaay.xyz192.236.176.79
myaaas.xyz192.236.192.84
myaasa.xyz192.236.179.76
myasaa.xyz192.236.178.135
masyaa.xyz192.236.193.86
maysaa.xyz192.236.193.81
msaaay.xyz192.236.192.215
maaays.xyz192.236.194.2
maaasy.xyz192.236.194.31
cookingzoho.com192.236.195.42
zohomclass.com192.236.195.83
zohocooking.com192.236.198.22
studyzoho.com192.236.198.23
molesste.xyz192.236.208.56
zohocookingmeals.com192.236.199.2
zohokitchen.com192.236.192.2
ullamm.xyz23.254.227.79
zohokitchenmaster.com192.236.192.9
zohoteachingmaster.com192.236.192.69
zohoteaching.com192.236.192.73
tincidut.xyz142.11.215.104
masterclassgold.com142.11.215.25
proodee.xyz192.236.179.217
zohocookingclass.com198.54.117.244
zohoclasspro.com142.11.215.212
deerunt.xyz142.11.206.153
nostuud.xyz192.236.147.234
aliuuip.xyz23.254.228.211
zohoduolingo.com192.236.209.36
duolingoclass.com192.236.209.34
acsyruse.xyz192.236.155.81
zoholanguageclass.com142.11.209.198
zoholanguage.com104.168.164.244
duo-lingo-class.com104.168.204.231
caaom.xyz192.236.155.151
caaof.xyz192.236.155.106
caaog.xyz192.236.155.138
caaor.xyz192.236.155.103
caaon.xyz192.236.155.102
duolingo-class.com192.236.192.33
studyduolingo.com192.236.177.18
masterclass-cook.com192.236.193.171
duuis.xyz192.236.249.78
eeeaa.xyz192.236.249.80
veelit.xyz192.236.249.79
eesse.xyz192.236.249.76
moolit.xyz192.236.249.75
premiumduolingo.com104.168.201.129
cook-masterclass.com104.168.201.121
yourduolingo.com104.168.201.87
masterclasscooking.com192.119.111.51
duolingoeducation.com192.119.111.21
educationduolingo.com192.119.111.197
masterclass-chef.com104.168.201.100
allduolingo.com192.236.194.113
allredoo.xyz192.236.194.42
aredo.xyz192.236.160.132
aeedo.xyz192.236.193.182
allreedo.xyz104.168.218.242
alloout.xyz104.168.135.71
subscriptionduolingo.com192.236.195.74
germanbyduolingo.com192.236.208.44
duolingo-italianclass.com104.168.171.231
aeecc.xyz23.238.40.29
eceee.xyz23.238.40.28
aeocc.xyz23.238.40.31
aedcc.xyz23.238.40.30
aeucc.xyz23.238.40.32
duolingoitalian.com192.236.155.243
duolingoit.com192.236.176.197
duolingoitclass.com104.168.171.104
 duolingo-it.com 192.236.176.199
 italian-duolingo.com 192.119.110.112
 masterclass-design.com 192.119.110.166
 masterclass-design.com 192.119.110.166
 masterclass-design.com 192.119.110.166
 masterclass-design.com 192.119.110.166
 masterclass-design.com 192.119.110.166
 masterclass-design.com 192.119.110.166
aaeece.xyz142.11.210.14
aaeeci.xyz108.174.195.199
aaeeco.xyz108.174.197.196
aaeecu.xyz104.168.145.45
aaeecy.xyz142.11.194.201
eebna.xyz192.236.194.76
eecna.xyz192.236.194.77
eedna.xyz192.236.194.78
eegna.xyz192.236.194.80
eetna.xyz192.236.194.81
brightmasterclass.com192.236.192.193
effectivemasterclass.com192.236.176.143
happymasterclass.com192.119.110.131
masterclass-business.com192.119.110.166
masterclasscources.com23.254.225.145
masterclassworld.com192.236.198.164
rainbowmasterclass.com192.236.192.192
strongmasterclass.com23.254.227.9
unitedmasterclass.com192.236.179.2
westsidemasterclass.com23.254.228.85
westernmasterclass.com23.254.225.145
Tags:

Leave a Reply

You may have missed

Qualcomm fixes Zero Day Vulnerabilities

October 4, 2023

AWS Console and MFA Requirements

October 4, 2023

Bunny Loader Malware-as-a-Service in Action

October 3, 2023

Google Android Security Updates – October 2023

October 3, 2023

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023
%d bloggers like this: