Palo Alto’s Unit 42 has investigated several incidents linked to the Luna Moth group callback phishing extortion campaign targeting businesses in multiple sectors, including legal and retail. The analysis discovered that the threat actors behind the campaign leverage extortion without malware-based encryption, have significantly invested in call centers and infrastructure unique to attack targets, and are evolving their tactics over time. Unit 42 stated that the campaign has cost victims hundreds of thousands of dollars and is expanding in scope.
Luna Moth removes malware portion of phishing callback attack
Callback phishing – or telephone-oriented attack delivery (TOAD) – is a social engineering attack that requires a threat actor to interact with the target to accomplish their objectives. It is more resource intensive but less complex than script-based attacks and it tends to have a much higher success rate, Unit 42 wrote in a blog posting. Actors linked to the Conti ransomware group had success with this type of attack with the BazarCall campaign, which focused on tricking victims into downloading the BazarLoader malware. This malware element is synonymous with traditional callback phishing attacks. Interestingly, in this campaign, Luna Moth does away with the malware portion of the attack, instead using legitimate and trusted systems management tools to interact directly with a victim’s computer to manually exfiltrate data for extortion. “As these tools are not malicious, they’re not likely to be flagged by traditional antivirus products,” the researchers wrote.
Fake credit card invoice initial phishing lure
The initial lure of this campaign is a phishing email to a corporate email address with an attached PDF invoice indicating the recipient’s credit card has been charged for a subscription service, Unit 42 said. This is usually for an amount under $1,000. Emails are personalized to the recipient and sent via legitimate email services, meaning they are less likely to be intercepted by email protection platforms, Unit 42 added. “The attached invoice includes a unique ID and phone number, often written with extra characters or formatting to prevent data loss prevention (DLP) platforms from recognizing it. When the recipient calls the number, they are routed to a threat actor-controlled call center and connected to a live agent.”
Appearing to help the victim cancel the subscription, the actor guides the caller through downloading and running a remote support tool to allow the attacker to manage their computer. “This step usually generates another email from the tool’s vendor to the victim with a link to start the support session,” Unit 42 wrote.
The attacker then downloads and installs a remote administration tool (Syncro) that allows them to achieve persistence before trying to identify valuable information and connected file shares, which they exfiltrate to a server they control using file transfer tools such as Rclone and WinSCP. After stealing the data, the attacker sends an extortion email demanding victims pay a fee, or the information will be released. These demands become more aggressive if the victim does not comply, the researchers noted. “In the cases Unit 42 investigated, the attacker claimed to have exfiltrated data in amounts ranging from a few gigabytes to over a terabyte.”
Bitcoin wallets gather extortion payments
Unique Bitcoin wallets are set up for each victim’s extortion payments, with the wallets emptied immediately after funding. Demands ranged from 2-78 BTC based on organizations’ revenue, Unit 42 wrote, with attackers quick to offer discounts of 25% for prompt payment. “Paying the attacker did not guarantee they would follow through with their promises. At times they stopped responding after confirming they had received payment and did not follow through with negotiated commitments to provide proof of deletion,” Unit 42 warned.
Luna Moth campaign tactics evolve to improve efficiency
Unit 42’s analysis of Luna Moth’s campaign showed a clear evolution of tactics that suggests the threat actor is continuing to improve the efficiency of the campaign. For example, the wording of the initial email has changed over time, likely to thwart email protection platforms. Furthermore, early iterations of the campaign recycled phone numbers but later attacks either used a unique phone number per victim or victims would be presented with a large pool of available phone numbers in the invoice, according to Unit 42. “The attacker registered all of the numbers they used via a voice-over-IP (VoIP) provider.”
Early incidents also used a logo from one of the spoofed businesses at the top of the invoice, which was replaced in later cases with a simple header welcoming the target to the spoofed business. “Cases analyzed at the beginning of the campaign targeted individuals at small- and medium-sized businesses in the legal industry. In contrast, cases later in the campaign indicate a shift in victimology to include individuals at larger targets in the retail sector,” according to Unit 42.
Awareness is key to mitigating phishing callback threats
As the threat actors behind this campaign have taken great pains to minimize the potential for detection, employee cybersecurity awareness training is the first line of defense to mitigate threats, Unit 42 wrote. “People should always be cautious of messages that invoke fear or a sense of urgency.” They should be trained not to respond directly to suspicious invoices and to contact the requester directly via the channels made available on the vendor’s official website, it stated. People should also be encouraged to consult internal support channels before downloading or installing software on their corporate computers. The second line of defense is a robust security technology stack designed to detect behavioral anomalies in the environment, Unit 42 added.