Full Report
The data-theft extortion group known as Luna Moth, aka Silent Ransom Group, has ramped up callback phishing campaigns in attacks on legal and financial institutions in the United States. [...]
Analysis Summary
# Threat Actor: Luna Moth
## Attribution & Identity
This threat actor is known by the name **Luna Moth**. They are characterized as an **extortion hacking group**.
## Activity Summary
Luna Moth conducts extortion campaigns primarily targeting **US firms**. Their primary operational method involves social engineering where they pose as IT help desks (fake IT support). They send emails containing fake helpdesk numbers. When a victim calls this number, the attacker impersonates IT staff and convinces the victim to install Remote Monitoring & Management (RMM) software from seemingly legitimate, but fabricated, IT help desk sites (e.g., using domain patterns like `[company_name]-helpdesk.com` and `[company_name]helpdesk.com`). Once remote access is established, they search for sensitive data, exfiltrate it, and then demand ransom payments of **one to eight million USD** under the threat of public data leakage on their clearweb extortion site.
The attacks are notable for their stealth, as they **do not appear to use malware, malicious attachments, or links to malicious sites** in the initial phishing stage.
## Tactics, Techniques & Procedures
- **Social Engineering/Impersonation:** Posing as IT help desk staff via phone call after initial email contact.
- **Initial Access/Execution:** Tricking victims into willingly installing legitimate, digitally signed Remote Monitoring & Management (RMM) software.
- **Lateral Movement/Defense Evasion:** Utilizing common, legitimate RMM tools which easily bypass standard security controls because the tools are digitally signed and commonly used in enterprise environments.
- **Data Staging/Exfiltration:** Searching local files and shared drives, then exfiltrating data using WinSCP (SFTP) or Rclone (cloud syncing).
- **Extortion:** Demanding high ransoms ($1M to $8M USD) in exchange for not leaking stolen corporate data publicly.
- *No specific MITRE ATT&CK IDs were explicitly listed in the provided text.*
## Targeting
- **Sectors:** Not explicitly detailed, but the objective is targeting **US firms** for financial gain.
- **Geography:** Primarily targeting **US firms**.
- **Victims:** Specific organizations were not named, only general firm categories.
## Tools & Infrastructure
- **Malware families used:** *None explicitly mentioned; the operation relies on legitimate software.*
- **RMM Tools Abused:** Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop.
- **Exfiltration Tools:** WinSCP (via SFTP) or Rclone (cloud syncing).
- **Infrastructure (C2, domains, IPs):**
- Fake help desk domain patterns: `[company_name]-helpdesk.com` and `[company_name]helpdesk.com`.
- Attacker-controlled infrastructure used for data exfiltration endpoints.
- Luna Moth's clearweb extortion domain.
- IoCs (including IPs and phishing domains) are mentioned as available in the underlying EclecticIQ report (but not detailed here).
## Implications
Luna Moth presents a significant threat due to its highly effective "living off the land" approach, relying on social engineering to compel victims to grant hands-on keyboard access using trusted, signed RMM tools. This tactic makes detection challenging for traditional security tools designed to flag executable malware. The success hinges on human interaction and an established IT support structure, allowing them to bypass network defenses entirely during the initial stages.
## Mitigations
- Maintain strict policies regarding the installation of RMM tools, restricting execution to only those explicitly approved and utilized by the organization.
- Implement robust security awareness training focused specifically on help desk impersonation scams, including verification procedures for remote access requests received via unsolicited contact methods (like phone calls following an email).
- Blocklist known indicators of compromise (IoCs), including phishing domains associated with their fake help desk infrastructure.