Black Arrow Cyber Advisory 23/11/2022 - Extortion Group Luna Moth's novel Malware-Free Callback Phishing Campaign Targeting SMBs
Executive Summary
The Luna Moth extortion group has invested in call centres and additional infrastructure to target businesses with phishing emails, perpetrating to be legitimate invoices for subscription services such as Dualingo, that are bypassing traditional detection methodology as malware is not used within the emails or the attachments. Victims call back on the number to dispute the subscription, from which they are convinced to install a legitimate remote access support tool. The threat actor then copies off data from the victim, and then extorts them. Reports on this threat actor comes from the investigation of several incidents of these callback phishing campaigns by Unit 42 of Palo Alto Networks. A report was also written on the threat actor in July by the cyber technology and services company Sygnia.
What’s the risk to me or my business?
The fact that this group does not use malware to access and harvest data makes them by nature harder to protect against. The protection of the organisation is reliant on it’s people not calling back and allowing the threat actor to install remote access software onto the endpoint devices.
What can I do?
Technical controls to prevent the installation of remote access tools, and to track for anomalous behaviour including the significant uploading of files could help to mitigate from this particular attack, however the key control here is education of people not to carry out call-back confirmation using phone numbers provided within the phishing emails, and instead to confirm with the legitimate organisation such as Duolingo, that a subscription has not been setup.
Further information on the extortion group can be found here: https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/, https://blog.sygnia.co/luna-moth-false-subscription-scams
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity