Researchers have spotted a threat actor that has managed to extort hundreds of thousands of dollars over the last few months from mostly small and midsize businesses — without using any encryption tools or malware.
Instead, the attacker — dubbed Luna Moth (aka the “Silent” ransomware group) has been using an array of legitimate tools and a technique dubbed “call-back phishing.” The tactic is to steal sensitive data from victim organizations and use it as leverage to extort money from them.
Most of the attacks so far have targeted smaller organizations in the legal industry; more recently, though, the adversary has begun going after larger companies in the retail sector as well, researchers from Palo Alto Network’s Unit 42 said in a report Monday. The evolution of the attacks suggests the threat actor has become more efficient with its tactics and now presents a danger to businesses of all sizes, the security vendor warned.
“We are seeing this tactic successfully targeting all sizes of businesses — from large retailers to small/medium sized legal organization” says Kristopher Russo, senior threat researcher with Unit 42 at Palo Alto Networks. “Because social engineering targets individuals, the size of the company does not offer much protection.”
Call-back phishing is a tactic that security researchers first observed the Conti ransomware group using more than a year ago in a campaign to install BazarLoader malware on victim systems.
The scam starts with an adversary sending a phishing email to a specific, targeted individual at a victim organization. The phishing email is custom made for the recipient, originates from a legitimate email service, and involves some kind of a lure to get the user to initiate a phone call with the attacker.
In the Luna Moth incidents that Unit 42 researchers observed, the phishing email contains an invoice — in the form of a PDF file — for a subscription service in the recipient’s name. The attackers inform the victim the subscription will soon become active and get billed to the credit card number on file. The email provides a phone number to a purported call center — or sometimes multiple numbers — that users can call if they had questions about the invoice. Some of the invoices have logos of a well-known company on top of the page.
“This invoice even includes a unique tracking number used by the call center,” Russo says. “So, when the victim calls the number to dispute the invoice, they look like a legitimate business.”
The attackers then convince users who called to initiate a remote session with them using the Zoho Assist remote support tool. Once the victim is connected to the remote session, the attacker takes control of the victim’s keyboard and mouse, enables access to the clipboard, and blanks out the user’s screen, Unit 42 said.
After the attackers have accomplished that, their next step has been to install the legitimate Syncro remote support software for maintaining persistence on the victim’s machine. They have also deployed other legit tools such as Rclone or WinSCP to steal data from it. Security tools rarely flag these products as suspicious because administrators have legitimate use cases for them in an environment.
In early attacks, the adversary installed multiple remote monitoring and management tools such as Atera and Splashtop on victim systems, but lately they appear to have whittled down their toolkit, Unit 42 said.
If a victim does not have administrative rights on their system, the attacker eschews any attempt to maintain persistence on it and instead goes straight to stealing data by leveraging WinSCP Portable.
“In cases where the attacker established persistence, exfiltration occurred hours to weeks after initial contact. Otherwise, the attacker only exfiltrated what they could during the call,” Unit 42 said in its report.
Applying the Most Pressure
The Luna Moth group has typically gone after data that, when leveraged, will apply the most pressure to the victim, Russo says. In targeting legal firms, the attacker appeared to have a good knowledge of the industry, knowing the kind of data that would likely cause the most harm in the wrong hands.
“In the cases that Unit 42 investigated, they targeted sensitive and confidential data of the law firm’s clients,” Russo explains. “The attacker reviewed the data they stole and included a sample of the most damaging data they stole in the extortion email.”
In many attacks, the adversary called out the victim’s largest clients by name and threatened to contact them if the victim organization did not pay the demanded ransom — which typically has ranged from 2 to 78 Bitcoin.
In the cases Unit 42 has investigated, the attackers did not move laterally once they had gained access to a victim’s machine. “However, they do continue to monitor the compromised computer if the victim has admin credentials — even going so far as to call and taunt the victims if they detect remediation efforts,” Russo says.
Sygnia, one of the first to report on Luna Moth’s activities, described the group as likely surfacing in March. The security vendor said it had observed the threat actor using commercially available remote access tools such as Atera, Splashtop, and Syncro, as well as AnyDesk for persistence. Sygnia said its researchers had also observed the threat actor using other legitimate tools such as SoftPerfect network scanner for reconnaissance and SharpShares for network enumeration. The attacker’s tactic has been to store the tools on compromised systems with names that spoof legitimate binaries, Sygnia said.
“The threat actor in this campaign specifically seeks to minimize their digital footprint to evade most technical security control,” Russo says.
Because they have been relying entirely on social engineering and legitimate tools in the campaign, the attacks leave very few artifacts, Unit 42 said. Thus, “we recommend that organizations of all sizes conduct security awareness training for employees” to protect against the new threat, Russo says.