New ‘Luna Moth’ hackers breach orgs via fake subscription renewals

A new data extortion group has been breaching companies to steal confidential information, threatening victims to make the files publicly available unless they pay a ransom.

The gang received the name Luna Moth and has been active since at least March in phishing campaigns that delivered remote access tools (RAT) that enable the corporate data theft.

Phishing attack

The Incident Response team at cybersecurity company Sygnia has been tracking the activity of the Luna Moth ransom group, noting that the actor is trying to build a reputation using the name Silent Ransom Group (SRG).

In a report earlier this month, Sygnia says that the modus operandi of Luna Moth (also tracked as TG2729) resembles that of a scammer, although the focus is on getting access to sensitive information.

To achieve that, Luna Moth relies on phishing attacks. Over the past three months, the group managed a large-scale campaign luring victims with false subscription  emails for using Zoho, MasterClass, or Duolingo services.

Victims would receive a message allegedly from one of the aforementioned services announcing that the subscription is about to end and that it will be automatically renewed, with 24 hours to process the payment.

The scam email message
The scam email message (Sygnia)

Luna Moth uses email addresses with names that impersonate the brands used in the phishing campaign. Looking closer, the scam is obvious since the messages come from Gmail accounts.

The email come with a fake invoice in the attachment, which provides a contact for those that want to learn more details about the subscription or to cancel it.

Fake invoices used by Luna Moth
Fake invoices used by Luna Moth (Sygnia)

Calling the phone number in the invoice puts the victim in contact with the scammer, who provides instructions to install a remote access tool on the system.

Common tools and tactics

As seen from the modus operandi, Luna Moth is far from a sophisticated threat actor and the tool they use support this theory.

According to Sygnia, the gang uses commercially available remote desktop solutions such as Atera, AnyDesk, Synchro, and Splashtop.

In many of the observed attacks, the threat actors installed more than one RAT on the victim’s machine for redundancy and persistence, the researchers say.

Other tools installed manually by the threat actors include SoftPerfect Network Scanner, SharpShares, and Rclone, which collectively help adversaries with reconnaissance on the network to locate valuable files, pivoting, and stealing the data.

These tools have been seen in past attacks from scammers that lured victims with fake billing emails for renewing antivirus subscription.

Sygnia says that the threat actors don’t target specific victims. They deploy opportunistic attacks where they grab anything they can access and then proceed to extorting the victim.

However, the threat actor's demands are quite high, as researchers say that Luna Moth may ask for "millions of dollars in ransom."

Dozens of domains used

Despite lacking sophistication, Sygnia found that Luna Moth has been using close to 90 domain names as part of their infrastructure or for hosting data from breached companies.

All sites used for phishing had names that resemble the impersonated brand - in this case Zoho, MasterClass, and Duolingo, and researchers found more than 40. The rest were used as exfiltration servers.

While extortion is widely associated with ransomware operations, it appears that stealing sensitive data without encrypting systems is turning into a new way to monetize corporate breaches.

Another data extortion group is called Karakurt, which researchers connected to the recently shut down Conti ransomware operation.

Related Articles:

Savvy Seahorse gang uses DNS CNAME records to power investor scams

New Darcula phishing service targets iPhone users via iMessage

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Russian hackers target German political parties with WineLoader malware

Spa Grand Prix email account hacked to phish banking info from fans