Luna Moth Ransomware: The Threat Actors Behind Recent False Subscription Scams

Over the last few months, Sygnia’s Incident Response team has been methodically tracking the ‘Luna Moth’ ransom group. Their modus-operandi resembles scammers, with the twist of corporate data theft, leveraging the threat of publication to demand millions of dollars in ransom.

key points

• The Sygnia Incident Response team identified a relatively new threat group, which has been operating since the end of March 2022. Sygnia refers to this threat actor as ‘Luna Moth’ or TG2729.
• ‘Luna Moth’ focuses on Data Breach extortion attacks, threatening to leak stolen information if the demanded ransom is not paid.
• The initial compromise is achieved by deceiving victims in a phishing campaign under the theme of Zoho MasterClass and Duolingo subscriptions, leading to the installation of an initial tool on the compromised host.
• The group uses commercial remote administration tools (RATs) and publicly available tools to operate on compromised devices and maintain persistency, demonstrating once more the simplicity and effectiveness of ransom attacks.
• The group acts and operates in an opportunistic way: even if there are no assets or devices to compromise in the network, they exfiltrate any data that is accessible; this emphasizes the importance of managing sensitive corporate information.

the ‘Luna Moth’ group 

With the rise in ransomware activity over the past years, the security industry has become used to hearing about double extortion, and even triple extortion attacks, and new crime groups of all kinds. In this blog post, we shed light on a relatively new threat actor which goes by the name of the ‘Silent Ransom Group’ (or ‘SRG’) and was dubbed ‘Luna Moth’ by Sygnia. By launching a phishing campaign with a wide coverage area, ‘Luna Moth’ infiltrates and compromises victim devices. These attacks can be categorized as data breach ransom attacks, in which the main focus of the group is to gain access to sensitive documents and information, and demand payment to withhold publication of the stolen data. Simple as they may be, these attacks can create serious issues for victims if sensitive data and information is stolen in this way.

Although the group is not widely known, they have been active in the past months, attempting to build their reputation as a ransom gang. Their modus-operandi resembles scammers, with the twist of corporate data theft, leveraging the threat of publication to demand millions of dollars in ransom.

Gaining initial access

Over the past three months, the ‘Luna Moth’ group operated a large-scale phishing campaign under the theme of MasterClass and Duolingo subscriptions, by impersonating Zoho MasterClass Inc and Duolingo. Although claiming to be related to the Zoho Corporation or Duolingo, the phishing emails are sent from Gmail addresses that are altered to resemble the legitimate company email addresses:

• {FIRST-NAME}.{LAST-NAME}[email protected]
• {FIRST-NAME}.{LAST-NAME}[email protected]

This is a classic phishing scam: the email claims that the recipient of the email purchased a subscription to a legitimate service, and that payment is due. To complete the scam, an invoice PDF file is attached to the email, and the victim is recommended to call a phone number, which the email states can be found within the attached file, if there are any issues with the subscription.

If the victim wishes to refute the purchase, they are required to join a Zoho remote support session. At this point, the threat actor uses the native Zoho Assist functionality to send another email, entitled “Zoho Assist – Remote Support session”, which guides the user to download and install the Zoho Assist application. The group then invites the victim to the support session using Zoho Assist accounts that are tied to protonmail emails.

During this short yet effective Zoho Assist session, the threat actor is able to trick the user into downloading and installing Atera on their device; this is a remote administration tool commonly used by threat actors. Once Atera is installed on the device, the threat actor can access the device and operate freely.

Tools in the arsenal

The examples shown above demonstrate that both the activities and the toolset of ‘Luna Moth’ are fairly unsophisticated. The main tools used by the threat actor consist of remote administration tools (RATs) that allow them to control compromised devices; these include Atera, Splashtop, Syncro, and AnyDesk. These tools also provide the threat actors with some redundancy and persistence: if one of the RATs is removed from the system, it can be reinstalled by the others.

Additional tools used by the group include off-the-shelf tools such as SoftPerfect Network Scanner, SharpShares, and
Rclone. The tools are stored on compromised machines under false names masquerading as legitimate binaries. These tools, in addition to the RATs, provide the threat actors with the means to conduct basic reconnaissance activities, access additional available assets, and exfiltrate data from compromised networks.

Campaign infrastructure

The infrastructure used by ‘Luna Moth’ as part of the subscription scams can be mapped to two main clusters of domains and IPs: 

• Exfiltration domains: Domains under the XYZ TLD, such as maaays[.]xyz. These domains are used by the group as part of the Rclone exfiltration process; the domains are the target to which the exfiltrated data is sent.
• Phishing domains that appear to be related to Zoho or Duolingo – for example, masterzohoclass[.]com. Most of these domains have a very short lifespan of about four hours.
  

The first identified domain related to the campaign was registered during April 2022. Both the exfiltration and phishing domains are hosted by the provider Hostwinds, and registered under Namecheap.

If you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us at [email protected] or our 24-hour hotline +1-877-686-8680.