'Luna Moth' Cybercriminals Breach Orgs Through Phony Subscription Renewals 

‘Luna Moth’ Cybercriminals Breach Orgs Through Phony Subscription Renewals 

In order to steal secret information from businesses, a new data extortion gang has been breaking into the targets’ systems and threatening to release the files to the public unless the victims pay a ransom. The group adopted the nickname Luna Moth and has been engaged in phishing efforts since March that distributed remote access tools (RAT) that facilitate corporate data theft. 

The Luna Moth ransom organization has been monitored by the incident response team at cybersecurity firm Sygnia, who have noted that the actor is attempting to establish a reputation under the moniker Silent Ransom Group (SRG). Sygnia stated in a report earlier this month that although the goal of Luna Moth (also tracked as TG2729) is to obtain sensitive information, its method of operation mimics that of a fraudster. 

Luna Moth makes use of phishing tactics to do it. Over the last three months, the gang oversaw a significant effort that lured victims with phony subscription emails into employing Zoho, MasterClass, or Duolingo services. Supposedly from one of these services, victims would get a message warning them that their subscription was about to expire and would be automatically renewed, giving them 24 hours to execute the payment. 

The phishing campaign’s brands are impersonated in the email addresses employed by Luna Moth. The fraud is clear when you look closely since the mails originate from Gmail accounts. The email includes a false invoice as an attachment containing contact information for anyone who wants to find out more about the subscription or cancel it. When the victim calls the number shown on the invoice, the con artist connects with them and gives them instructions on how to set up a remote access tool on the system. 

The tool they leverage and the modus operandi demonstrate that Luna Moth is not a highly skilled threat actor. According to Sygnia, the group employs commercial remote desktop programs, including Atera, Synchro, AnyDesk, and Splashtop. In several observed attacks, the researchers say that the threat actors placed several RATs on the victim’s device for redundancy and persistence. 

The threat actors also manually installed SoftPerfect Network Scanner, SharpShares, and Rclone, which together aid attackers in network reconnaissance to find valuable files, pivoting, and data theft. These tools have been used in the past by scammers who used fraudulent invoicing emails to entice victims into renewing their antivirus subscriptions. 

According to Sygnia, the threat actors do not focus on particular victims. They use opportunistic attacks to seize whatever is available before extorting the victim. However, the demands of the threat actor are rather high; researchers disclose that Luna Moth may seek “millions of dollars in ransom.” 

Sygnia discovered that Luna Moth has been employing around 90 domain names as a component of their infrastructure or for hosting data from compromised firms despite their lack of expertise. Researchers discovered over 40 phishing sites, all of which had names that resembled the impersonated brand, in this case Zoho, MasterClass, and Duolingo. The remainder served as servers for exfiltration. 

Although ransomware attacks are frequently linked to extortion, acquiring confidential information without encrypting systems is evolving into a new technique to profit from corporate breaches. Researchers linked the Karakurt data extortion gang to the recently shuttered Conti ransomware operation. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.