A new extortion group called ‘Luna Moth’ steals data with fake subscription emails
A new data extortion group named Luna Moth has been observed to steal confidential information from companies and threaten the victims into paying ransom in order to save compromised data from being publically available.
The extortion group has been detected to be active since March in phishing campaigns and delivering remote access tools (RAT) in order to steal company data from a remote location.
The Luna Moth is trying to build a silent ransom group (SRG) threat actor according to the cybersecurity company Sygnia which has been tracking the extortion group. Sygnia said that the mode of operation for the Luna Moth ransom group resembles a lot of scammers as the ransom group reaches its targets via phishing attacks.
The cybersecurity company provided details on how it initiates the hacking process. Reportedly for the past three months, the extortion group has been conducting large-scale campaigns to lure victims with false subscription emails with an invitation to Zoho, Masterclass, or Duolingo services. The email usually says that the payment to the above services is due and if the victim can not proceed with the further payment the subscription would end.
Luna Moth usually impersonates brands to use them to create phishing campaigns targeting Gmail accounts. The email also comes with a fake invoice attachment providing contact details to know more about the subscription. Upon dialing the call number the scammer instructs the victim to install a remote access tool into the system.
Sygnia says the threat actor uses remote desktop solutions such as Atera, AnyDesk, Synchro, and Splashtop. The group has also been targeting victims with fake billing emails for renewing antivirus subscriptions. Luna Moth has been observed to use almost 90 domain names for hosting data from compromised companies.