"Luna Moth Ransomware Group Invests in Call Centers to Target Individual Victims"
Palo Alto Networks Inc.'s Unit 42 released a new report detailing the rise of a ransomware group that has invested in call centers and infrastructure to target individual victims. Luna Moth, also known as the Silent Ransom Group, has been active since March, beginning with a campaign that compromises organizations through fake subscription renewals. To enable corporate data theft, the group used phishing campaigns that deliver remote-access tools. After stealing confidential information, the group threatens to make the files public unless a ransom is paid. The Unit 42 researchers discovered several common indicators that point to these attacks resulting from a single well-planned campaign. To take their attacks to the next level, Luna Moth has heavily invested in call centers and infrastructure that is unique to each victim. Luna Moth is performing callback phishing, a social engineering attack that requires a threat actor to interact with the target in order to achieve its goals. The attack style requires more resources but is less complex than script-based attacks and has a much higher success rate. Callback phishing, also known as telephone-oriented attack delivery, is not a new method, as it was previously used by the infamous Conti group. However, Luna Moth has evolved in that it no longer employs malware in its attacks, instead relying on legitimate and trusted system management tools to interact directly with a victim's computer to manually exfiltrate data for extortion. Luna Moth can ensure that the activity is not detected as malicious and thus is unlikely to be flagged by traditional security products by using legitimate tools. This article continues to discuss Luna Moth's tools and tactics.