The US Federal Bureau of Investigation (FBI) has warned of social engineering attacks employed by a criminal tor actor known as Luna Moth, who has targeted law firms for the past two years.
The campaign “utilises information technology (IT)-themed social engineering calls and callback phishing emails to gain remote access to systems or devices and steal sensitive data that forces victims,” the FBI said in its advisory.
Luna Moth, also known as Chatty Spider, Silent Ransom Group (SRG), Storm-0252, and UNC3753, is known to be active since at least 2022.
It is worth mentioning here that Luna Moth refers to the same hacking crew that previously ran the Bazarcall (aka Bazacall) campaign, and that he is deploying ransomware like Conti. The threat actor became his own following the closure of the Contisindicate.
Specifically, email recipients will be instructed to call their customer support number to cancel their premium subscription within 24 hours to avoid any payment incurred. During the course of a telephone conversation, the victim is emailed a link and led to install a remote access program, giving threat actors unauthorized access to the system.
To get access, the attacker removes sensitive information and sends a fearful note to the victim. Request payment to prevent stolen data from being published on leaked sites or sold to other cybercriminals.
The FBI said that as of March 2025, the Luna Moth actor had called interested individuals and changed tactics by pretending to be employees from the company’s IT department.
“The SRG instructs employees to participate in a remote access session via email sent to them. “If an employee grants access to the device, they are told they need to do the work overnight.”
After gaining access to the victim’s device, threat actors have been found to escalate privileges and leverage legitimate tools such as RCLONE and WINSCP to promote data delamination.
Using authentic systems management or remote access tools like Zoho Assist, Syncro, Anydesk, Splashtop, or Atera means performing an attack.
“If the compromised device does not have administrative privileges, WINSCP Portable will be used to remove victim data,” the FBI added. “This tactic has only been observed recently, but it was extremely effective and has provided multiple compromises.”
Defenders are required to keep an eye on WinSCP or RCLONE connections created in external IP addresses, emails, or voicemails from unnamed groups whose data has been stolen.
Remove pending renewal fees and unsolicited calls from individuals claiming to work in the IT department.
This disclosure follows an Eclecticiq report detailing Luna Moth’s “high-tempo” callback phishing campaign targeting the US legal and financial sectors using Reamaze HelpDesk and other remote desktop software.
According to the Dutch cybersecurity company, at least 37 domains were registered by threat actors via GoDaddy in March.
“Luna Moth uses a domain that is primarily about helpdesks and usually starts with the name of a business that is targeted at Vorys-Helpdesk.[.]com, “Silent Push mentioned in a series of posts in X.” The actor uses a relatively small range of registrars. Actors appear to use a limited range of name server providers using domaincontrol[.]com is the most common. ”
Source link
