Palo Alto’s Unit 42 has investigated several incidents linked to the Luna Moth group callback phishing extortion campaign targeting businesses in multiple sectors, including legal and retail. The analysis discovered that the threat actors behind the campaign leverage extortion without malware-based encryption, have significantly invested in call centers and infrastructure unique to attack targets, and are evolving their tactics over time. Unit 42 stated that the campaign has cost victims hundreds of thousands of dollars and is expanding in scope.
Luna Moth removes malware portion of phishing callback attack
Callback phishing – or telephone-oriented attack delivery (TOAD) – is a social engineering attack that requires a threat actor to interact with the target to accomplish their objectives. It is more resource intensive but less complex than script-based attacks and it tends to have a much higher success rate, Unit 42 wrote in a blog posting. Actors linked to the Conti ransomware group had success with this type of attack with the BazarCall campaign, which focused on tricking victims into downloading the BazarLoader malware. This malware element is synonymous with traditional callback phishing attacks. Interestingly, in this campaign, Luna Moth does away with the malware portion of the attack, instead using legitimate and trusted systems management tools to interact directly with a victim’s computer to manually exfiltrate data for extortion. “As these tools are not malicious, they’re not likely to be flagged by traditional antivirus products,” the researchers wrote.