Sygnia, a cyber technology and services company, uncovered the campaign and published a report detailing its findings earlier this month. The campaign is operated by a group called the Silent Ransom Group, or SRG, though the firm refers to them as “Luna Moth.” A typical attack begins with a phishing email, and though actual data-encrypting ransomware isn’t used in this campaign, hackers are still able to get a hold of victims’ data and negotiate a ransom for its return. Sygnia added that while the threat actor is relatively new, its campaign is widespread and active.
Hackers Send Phishing Emails to Gain Entry Into Networks
Sygnia said that Lunar Moth’s campaign has been active since April 2022. It uses a large-scale phishing campaign in an attempt to breach its targets’ devices. The hackers rely on a commonly used phishing tactic — impersonating a subscription service. In this case, the actors impersonate MasterClass or Duolingo, claiming that the target’s payment for their subscription is due. It goes on to say that the subscription will be automatically renewed in the next 24 hours using the bank details previously submitted. “Although claiming to be related to the Zoho Corporation or Duolingo, the phishing emails are sent from Gmail addresses that are altered to resemble the legitimate company email addresses,” Sygnia stated. The hackers also included additional elements in their email to make it more convincing, such as an invoice PDF file. The PDF also includes a number that customers can call to raise a complaint. If a user wishes to refute a claim, they must join a Zoho remote support session.
Campaign Uses a Zoho Remote Assist Session to Install RAT
If a user goes down this route, they receive another email directing them to download and install the Zoho assist application. Once they do so, they have a short Zoho assist session with the threat actor. Here, the actor tricks the victim into installing a Remote Administration Tool (RAT) called Atera onto their device. Once the RAT is installed, the threat actors can access and control the victim’s device whenever they choose to. Luna Moth also installs other RATs, such as Splashtop, Syncro, and AnyDesk. “These tools also provide the threat actors with some redundancy and persistence: if one of the RATs is removed from the system, it can be reinstalled by the others,” Sygnia added. Luna Moth also installs additional tools which allow it to “conduct basic reconnaissance activities, access additional available assets, and exfiltrate data from compromised networks.”
Luna Moth Campaign Uses Dozens of Domains
In its report, Sygnia states that Luna Moth’s campaign lacks sophistication. This is evidenced by its phishing emails, which are commonplace, and its use of off-the-shelf RATs and reconnaissance tools. However, the campaign relies on a large number of domains. These can be divided into two clusters. The first is for phishing and includes domains mainly related to Zoho or Duolingo. The second cluster relates to exfiltration activities, and use .xyz domains. If you found this story interesting, we recommend checking out our detailed article on trojans. You could also head over to our explainer on ransomware, which also provides useful tips on removing it from your devices.