Although claiming to be related to the Zoho Corporation or Duolingo, the phishing emails are sent from Gmail addresses that are altered to resemble the legitimate company email addresses: Over the past three months, the ‘Luna Moth' group operated a large-scale phishing campaign under the theme of MasterClass and Duolingo subscriptions, by impersonating Zoho MasterClass Inc and Duolingo. Their modus-operandi resembles scammers, with the twist of corporate data theft, leveraging the threat of publication to demand millions of dollars in ransom. Simple as they may be, these attacks can create serious issues for victims if sensitive data and information is stolen in this way.Īlthough the group is not widely known, they have been active in the past months, attempting to build their reputation as a ransom gang. These attacks can be categorized as data breach ransom attacks, in which the main focus of the group is to gain access to sensitive documents and information, and demand payment to withhold publication of the stolen data. By launching a phishing campaign with a wide coverage area, 'Luna Moth' infiltrates and compromises victim devices. In this blog post, we shed light on a relatively new threat actor which goes by the name of the ‘Silent Ransom Group’ (or ‘SRG’) and was dubbed 'Luna Moth' by Sygnia.
With the rise in ransomware activity over the past years, the security industry has become used to hearing about double extortion, and even triple extortion attacks, and new crime groups of all kinds. The group acts and operates in an opportunistic way: even if there are no assets or devices to compromise in the network, they exfiltrate any data that is accessible this emphasizes the importance of managing sensitive corporate information.The group uses commercial remote administration tools (RATs) and publicly available tools to operate on compromised devices and maintain persistency, demonstrating once more the simplicity and effectiveness of ransom attacks.The initial compromise is achieved by deceiving victims in a phishing campaign under the theme of Zoho MasterClass and Duolingo subscriptions, leading to the installation of an initial tool on the compromised host.'Luna Moth' focuses on Data Breach extortion attacks, threatening to leak stolen information if the demanded ransom is not paid.Sygnia refers to this threat actor as 'Luna Moth' or TG2729. The Sygnia Incident Response team identified a relatively new threat group, which has been operating since the end of March 2022.Over the last few months, Sygnia’s Incident Response team has been methodically tracking the 'Luna Moth' ransom group.