Palo Alto\u2019s Unit 42 has investigated several incidents linked to the Luna Moth group callback phishing extortion campaign targeting businesses in multiple sectors, including legal and retail. The analysis discovered that the threat actors behind the campaign leverage extortion without malware-based encryption, have significantly invested in call centers and infrastructure unique to attack targets, and are evolving their tactics over time. Unit 42 stated that the campaign has cost victims hundreds of thousands of dollars and is expanding in scope.Luna Moth removes malware portion of phishing callback attackCallback phishing \u2013 or telephone-oriented attack delivery (TOAD) \u2013 is a social engineering attack that requires a threat actor to interact with the target to accomplish their objectives. It is more resource intensive but less complex than script-based attacks and it tends to have a much higher success rate, Unit 42 wrote in a blog posting. Actors linked to the Conti ransomware group had success with this type of attack with the BazarCall campaign, which focused on tricking victims into downloading the BazarLoader malware. This malware element is synonymous with traditional callback phishing attacks. Interestingly, in this campaign, Luna Moth does away with the malware portion of the attack, instead using legitimate and trusted systems management tools to interact directly with a victim\u2019s computer to manually exfiltrate data for extortion. \u201cAs these tools are not malicious, they\u2019re not likely to be flagged by traditional antivirus products,\u201d the researchers wrote.Fake credit card invoice initial phishing lureThe initial lure of this campaign is a phishing email to a corporate email address with an attached PDF invoice indicating the recipient\u2019s credit card has been charged for a subscription service, Unit 42 said. This is usually for an amount under $1,000. Emails are personalized to the recipient and sent via legitimate email services, meaning they are less likely to be intercepted by email protection platforms, Unit 42 added. \u201cThe attached invoice includes a unique ID and phone number, often written with extra characters or formatting to prevent data loss prevention (DLP) platforms from recognizing it. When the recipient calls the number, they are routed to a threat actor-controlled call center and connected to a live agent.\u201dAppearing to help the victim cancel the subscription, the actor guides the caller through downloading and running a remote support tool to allow the attacker to manage their computer. \u201cThis step usually generates another email from the tool\u2019s vendor to the victim with a link to start the support session,\u201d Unit 42 wrote.The attacker then downloads and installs a remote administration tool (Syncro) that allows them to achieve persistence before trying to identify valuable information and connected file shares, which they exfiltrate to a server they control using file transfer tools such as Rclone and WinSCP. After stealing the data, the attacker sends an extortion email demanding victims pay a fee, or the information will be released. These demands become more aggressive if the victim does not comply, the researchers noted. \u201cIn the cases Unit 42 investigated, the attacker claimed to have exfiltrated data in amounts ranging from a few gigabytes to over a terabyte.\u201dBitcoin wallets gather extortion paymentsUnique Bitcoin wallets are set up for each victim\u2019s extortion payments, with the wallets emptied immediately after funding. Demands ranged from 2-78 BTC based on organizations\u2019 revenue, Unit 42 wrote, with attackers quick to offer discounts of 25% for prompt payment. \u201cPaying the attacker did not guarantee they would follow through with their promises. At times they stopped responding after confirming they had received payment and did not follow through with negotiated commitments to provide proof of deletion,\u201d Unit 42 warned.Luna Moth campaign tactics evolve to improve efficiencyUnit 42\u2019s analysis of Luna Moth\u2019s campaign showed a clear evolution of tactics that suggests the threat actor is continuing to improve the efficiency of the campaign. For example, the wording of the initial email has changed over time, likely to thwart email protection platforms. Furthermore, early iterations of the campaign recycled phone numbers but later attacks either used a unique phone number per victim or victims would be presented with a large pool of available phone numbers in the invoice, according to Unit 42. \u201cThe attacker registered all of the numbers they used via a voice-over-IP (VoIP) provider.\u201dEarly incidents also used a logo from one of the spoofed businesses at the top of the invoice, which was replaced in later cases with a simple header welcoming the target to the spoofed business. \u201cCases analyzed at the beginning of the campaign targeted individuals at small- and medium-sized businesses in the legal industry. In contrast, cases later in the campaign indicate a shift in victimology to include individuals at larger targets in the retail sector,\u201d according to Unit 42.Awareness is key to mitigating phishing callback threatsAs the threat actors behind this campaign have taken great pains to minimize the potential for detection, employee cybersecurity awareness training is the first line of defense to mitigate threats, Unit 42 wrote. \u201cPeople should always be cautious of messages that invoke fear or a sense of urgency.\u201d They should be trained not to respond directly to suspicious invoices and to contact the requester directly via the channels made available on the vendor\u2019s official website, it stated. People should also be encouraged to consult internal support channels before downloading or installing software on their corporate computers. The second line of defense is a robust security technology stack designed to detect behavioral anomalies in the environment, Unit 42 added.