Threat Landscape Update on Grandoreiro and Luna Tempest

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud, well each week dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo, and I am joined by two fantastic threat intelligence researchers here at Microsoft Threat Intelligence. And we're going to learn what's going on in the landscape. As many of you know, the threat landscape is my favorite thing. Welcome to the show.

Unidentified Person: Hi. Thanks.

Sherrod DeGrippo: So what's going on out there? That is the number one question that people ask me all over, from customers, to practitioners, to people doing research. What are you seeing, what's happening out there, what's caught your eye on the landscape?

Unidentified Person: Yes, absolutely. I think what's really been interesting recently, especially kind of focusing on April, is the financially motivated threats Microsoft has observed. So specifically I think it would be really awesome to dig into two particular cases I've noticed. One is the Grandoreiro banking trojan activity profile that Microsoft researchers put together, and then also the Luna Tempest actor profile, which we're going to get into a lot deeper later in the episode, I think.

Sherrod DeGrippo: Yes; so we will. I really -- as you and I kind of talk before, Grandoreiro --

Unidentified Person: Yes.

Sherrod DeGrippo: Tell me what you know there and any commentary on that name.

Unidentified Person: [Laughs] Yes, I really hope I'm not butchering the name, but I think it's "Grandoreiro". But that activity profile is really interesting. Microsoft has observed more activity with the Grandoreiro banking trojan starting in March of 2024. But the interesting thing with that is it's actually been active. We've observed activity since at least 2017. But what's different is now we're seeing Grandoreiro activity expanding globally, whereas before it was mostly focused in just Latin America or Spanish-speaking countries. So now we're seeing it in the United States, the UK, South Africa, Australia, so it's really -- they've really gotten it up and running and they're kind of taking it global now.

Sherrod DeGrippo: So it's really interesting that we're seeing banking trojans, because typically what people talk about on the crimeware landscape is ransomware. But in this case, this is stealing financial logins or financial data. So tell me a little bit more about what we're seeing with the Grandoreiro.

Unidentified Person: Absolutely. And also it's really interesting to see with this activity too, because this kind of uptick is happening after a disruption operation happened in January of 2024, where the Federal Police of Brazil and security researcher firms kind of banded together to disrupt the cluster that they had observed with this activity. So multiple arrests happened from that operation, and then what we're observing now, like I mentioned from March 2024, is a different cluster. So what we're seeing with sort of the attack chain just on a very base level is it starts off with a phishing email sent to a user, and those emails will often be impersonating tax return updates, think login emails or other efforts to sort of lure the victim into clicking on a malicious URL link, which will then redirect the user to a Dropbox page which will have an archive with a downloader. So once the user sort of selects that downloader and downloads it to their device, then the threat actor has the opportunity to monitor the activity of that user and eventually the user will interact with a certain entity that they find interesting, like a bank, and will go from there to steal money.

Sherrod DeGrippo: So looking at the way that this banking trojan operates, it really is similar to DanaBot, TrickBot, Ursnif, all of the kind of throwback banking trojans that we haven't seen in quite a while. And what's interesting about this one in particular is that if the user has some kind of two-factor enabled on their bank account, this malware, the actor will pop up a window in that machine asking them to put in their two-factor information. So again, this is kind of where it's not quite attacker in the middle in the traditional sense where we see proxies, it's more of a bespoke, "Hey, I'm going to need two-factor to steal this money out of this bank account, so I'm going to have to pop up an MFA dialogue to the user." And I think that's really interesting because quite logically when you think about it, if you have someone's user name and password to their bank because you're in-between their banking session, and you see it pop up a multifactor, you can't tell whether that particular victim has MFA or not until it's requested when you're trying to log into the bank. The way banking trojans work typically is that they get in-between that session with the user and their bank login, prompting them to log into their bank, but it's not actually directly their bank. The other thing I find interesting about this one is that it uses CAPTCHA. It presents Adobe Reader PDF viewer branded popup that says, "I'm not a robot," and it's a reCAPTCHA branded CAPTCHA quiz; but it's not actually the quiz, it's the one where you just click. And I think that that's pretty interesting too because there is no element of the malware that requires that. It is simply to further convince the user via technical social engineering that this actually is legitimate banking information that they're looking at.

Unidentified Person: Yes, absolutely.

Sherrod DeGrippo: Anything else we should know about this banking trojan that we're seeing on the scene? We haven't seen banking trojan activity in quite a while to this degree, so I'm pretty interested in this one.

Unidentified Person: Yes. I think it just really goes to show that even if some multi-country global takedown operation happens successfully and does successfully disrupt a malicious cluster, the bad guys are always going to kind of do the workaround and they're going to come back. So kind of scary, but I mean it's great news that we're seeing a lot of corporation internationally to target these people.

Sherrod DeGrippo: I think that's something that the industry sort of goes back and forth with, right, is how impactful are takedown and disruption activities when threat actors, if nothing else, they are good at pivoting. Right, like that's sort of -- I think when you think about the DNA of a threat actor, especially in the financial space crimeware actors, "Oh, detections came out? I just need to get around those." "Oh, detections came out for the thing that I was getting around before? Well, I just need to get around that now." And that really kind of is the sort of unending back and forth of a lot of financially motivated threat actors is they're prepared for that. They're ready to do things like A/B testing, or sending a campaign to one region, seeing how well it performs, and then sending an updated better campaign to a different region to see if they can get better results than they have before.

Unidentified Person: Exactly. Threat actors are smart. I think that sometimes in the security industry we're a little too quick to sort of say, "Oh, God, look, they made a mistake," or, "This is really simple malware," or, "They did something stupid." I think a lot of times threat actors they leverage volume and scale, especially when it comes to crimeware which allows them to really rake in significant amounts of money. I think that ransomware is something that's really loud. This banking trojan is completely quiet. So unless you have technical means to discover that you've been infected with this particular piece of malware, you would never know. The money would disappear from your bank account. It would be laundered, shifted through multiple mule accounts, until a threat actor was able to get it to their bank account, typically making it too late before the victim finds it. And banking trojans are quiet little things that we have to remember operate fully under the radar, unlike ransomware which is loud as heck and sends angry demands and things like that.

Sherrod DeGrippo: Yes, absolutely. Let's move on to talk about something that I found out about at SLEUTHCON, which is Luna Tempest, a new threat actor. And tell me what we're looking at with Luna Tempest.

Unidentified Person: Sure. So Luna Tempest is a group that Microsoft has tracked for the past couple years. We had previously tracked them under Storm 744 [phonetic], and we promoted them to Luna Tempest in prep for SLEUTHCON, and for some other reasons, too. But this group is an extortion-based group. We assess that they are a relatively small group of operators that are primarily based in the US, in the UK, so kind of a similar nexus to groups such as like Octo Tempest, LAPSUS$, which I think we refer to as "Strawberry Tempest" internally. And so very similar background but there are still some pretty distinct differences.

Sherrod DeGrippo: Okay, so you just said that they are US-based? That's shocking, right? We typically think of particularly crimeware actors being based in Eastern Europe, Russia, West Africa, placed like that. Obviously some of the -- even countries have started coming up in the crime space as well. What does this kind of mean for the crimeware landscape to see such a Western-based actor group?

Unidentified Person: Yes, I think it's a really interesting trend over the past few years. We really started to see some of that a few years ago with LAPSUS$ emerging and followed by Octo Tempest, was I would say the next kind of big threat actor to come out of that what they refer to as kind of "the COM", I guess, like the online community. It's like a primarily Western-based people like associating on like Discord, and PolyGram, and places like that. And so it's an interesting trend; definitely very, I would say, different characteristics from some of the Eastern European or like Russian-based groups that we've tracked over the past like decade plus. And so one notable thing that's kind of unique about some of these Western-based actors is they're definitely very aggressive towards victims and incident responders; getting a little bit more personal. And I'm not sure what the reason for that is, other than I think a lot of these actors come out of like a gaming community, so like a lot of online games where they talk a lot of smack to each other, they target each other, and in some cases they'll swat each other and things. And I think some of that behavior has kind of spilled over into like the eCrime landscape.

Sherrod DeGrippo: Well, that's pretty scary. [Laughs]

Unidentified Person: Yes.

Sherrod DeGrippo: So for our listeners that don't know what swatting is, do you want to do a quick rundown about what swatting is?

Unidentified Person: Yes; you know, I'm by no means a swatting expert, but my understanding is say you want to target an individual, you'll identify their home address, and you will spoof your phone number call, like the local police department or the law enforcement office, and fake a distress-like call, like an active shooter type situation or a hostage type situation or something like that, that doesn't result in just a typical like police response. They're going to bring the big guns, they're going to bring in a lot of people. And so it just causes a lot of chaos, it's extremely distressing and threatening to the person who is being targeted. And so that's my general understanding of it. And I know this is not limited to just like the eCrime type landscape, but we've seen it kind of on the political side as well.

Sherrod DeGrippo: Also very scary. I don't like that. But Luna Tempest specifically it looks like they've got a targeting vertical in mind. Can you tell us a little bit about that?

Unidentified Person: Yes, for sure. I think that's one of the things that really kind of differentiates them from groups like LAPSUS$ and Octo Tempest. So those two groups have kind of gone after a pretty wide range of targets, mostly like household name large companies S&P 500 organizations. And so Luna Tempest, on the other hand, is really focused on a lot of startups, like smaller companies, emerging companies, and like the insurance providers, Fintech, biotech, and pharmaceuticals have been one -- a couple of very close that have been really targeted heavily. I think the reason for that is from an extortion perspective they're looking to -- for the big payout or to the higher chance of getting paid. And so targeting companies that might be in a startup phase where the release of sensitive information might be super damaging to them from either eventually going public.

Sherrod DeGrippo: So from the profile that I read, it looks like they're hitting startups in insurance, pharma, biotech, you were saying fin -- or financial services. What do you think the situation is there with that? Why startups?

Unidentified Person: Yes, I think why that is primarily they are looking to try and extort these companies that it's a higher chance of getting paid if they target companies that are emerging. They may have like some sensitive either customer data that the release of that could be really damaging for like reputational purposes for them, or you know, these companies may be early phases prior to doing like an IPO or going public, and so release of like intellectual property or like I said, that reputational damage could really impact their ability to generate capital and go public. And so I think that's really an incentive for these companies to pay the attacker off so they don't have to go through that.

Sherrod DeGrippo: And they're typically doing extortion, or are they doing encryption with ransomware style only?

Unidentified Person: Good question. So this group, Luna Tempest, is really just an extortion only group. So we don't see them deploying malware like to contrast with like Octo Tempest, who we've seen deploying ransomware like BlackCat, something we saw late last year. One interesting thing about Luna Tempest is they don't appear -- I would say overall like this is not like the most technical group. Compared to some others, they don't really create their own tools. They're not super adaptive in their techniques over the past couple of years. So when you compare that to some other groups I mentioned, then it changed dramatically over the past two years and in some cases they may write their own tools or deploy malware.

Sherrod DeGrippo: And are they typically asking from an extortion perspective for Bitcoin or for some kind of cryptocurrency?

Unidentified Person: I think that's pretty standard. So what we've seen over the past couple of years is they will communicate with victims through -- when we first started tracking the activity, they would communicate with victims over kind of temporary emails that they would use to either deliver the extortion note and kind of, quote, "negotiate" with the victim over the terms, and that would be off to them like in some sort of cryptocurrency transfer. One trend that we've seen over the past like years, though, is they've kind of shifted away from the email communication to using Tox, which is a pretty common like peer-to-peer software used by a variety of like the larger ransomware actors. And so it's an encrypted peer-to-peer application that will allow them to have a little bit more unanimity and security when they're communicating with the victims. But the end result there is to transfer funds via some sort of cryptocurrency.

Sherrod DeGrippo: So all of these groups we hear about Octo Tempest, obviously Strawberry Tempest or LAPSUS$ as a group that I've really found very interesting to track. And then there's the CALM, there's ALPHV, there's BlackCat. There are names of threat actor groups being completed with names of malware. Is there a way to keep this straight? Is there a clear delineation between the groups that's visible? How do we sort out the differences here?

Unidentified Person: Yes, that's a really complicated question to answer. And I think -- I know it comes up a lot, like why does every vendor have their own names for things is kind of like the broader question, right? [Laughter] And that's really a result of like we all have our own like kind of special visibility kinds of things. It's typically whatever platform that we are responsible for, and so that -- some other vendors may have a very like endpoint focus in the platform they sell and so their visibility is based on the telemetry that comes out of that product. And so Microsoft is no different there. A lot of our visibility comes out of environments such as Azure and Defender. So I think we've all got kind of our own visibility there. And so while it may be the same actors behind the names or same organizations behind the names, because like we all have our different sort of visibility into the intrusions. We all may not be reporting on the same things. And so from a like equality perspective, Octo Tempest might overlap with Scattered Spider, but they may not be like a one-to-one equal -- equality in terms of like the intrusions and activities that each vendor is seeing, if that makes sense.

Sherrod DeGrippo: That does make sense. And then the other complicating factor that I have always found fascinating, which we typically see almost exclusively in crime, but there is an element of it nation-sponsored as well is groups naming themselves, right? So I believe "The Calm" [phonetic] is their own name, correct?

Unidentified Person: Yes, I believe like that's kind of just organically -- that's how they refer to themselves. I think groups like LAPSUS$ is kind of the same way. One thing kind of getting back to like what we were talking about with the different names, I think our end goal with a lot of these is we want to protect customers, we want them to understand the risks that they're kind of dealing with or potentially exposed to, and so in some cases like the names might be marketing-driven. But I think a lot of times, we want to create a name so that these companies can kind of understand like what they're dealing with. The reason that we went public with Luna Tempest was because we were seeing all these victims over the past couple of years. And it's really hard to -- when you talk to these companies, for them to really understand like what they can expect to happen. And we'll probably get into it later. But you know, this group is extremely aggressive in their harassment towards some of their companies, and so the initial intrusion might seem like it's not like super-destructive. You know, they've stolen data, but it's the later stuff that happens with the harassment of the leadership on the executives on the board and potentially family members and things like that. And without any sort of like name to this threat, they may not understand kind of what's coming down the road with the intrusion.

Sherrod DeGrippo: So that kind of brings me to obviously names are a shorthand way to talk to customers, or potential victims, or other analysts even that need to have this information. So if you see an organization targeted by something like Luna Tempest, what do you tell that customer; what do you tell that organization? How does that process work and what can we do to help it be better?

Unidentified Person: Yes, it's a good question. And so in the times that we've notified victims of the activity, we definitely make it a point to try to describe what's typical for this threat actor. Like a lot of times they'll directly harass leadership through phone calls or maybe like SIM swapping. And in some cases, they may not limit it to just the employee in the company, they may go after family members, they may go after children of the executives. And so that's super concerning from a human like risk threat perspective; and so just wanting them to kind of understand what to expect. And then on the other side of it, too, is like this actor is kind of unique in some of the things they've done over the years. One thing they did in the fall of last year was they notified the SCC directly of a breach that they did because they felt like the company wasn't quick enough to do the notification. And the I think the reason they did that was really just for manipulation and harassment purposes. So those kinds of things, I think, are important to kind of get in front of a customers so they can better prepare and they can better respond. And I think that's the ultimate goal with a lot of this attribution, like you want the victim to be best prepared to deal with that specific threat.

Sherrod DeGrippo: That's a lot. So this group is going after the children of the executives that work there?

Unidentified Person: In some cases we've seen them SIM swap the executives, we've seen them SIM swap family members as well, and a lot of that is just to kind of put more pressure on them to ultimately get paid.

Sherrod DeGrippo: So it sounds like they've really kind of perfected an extortion program, almost, like it's operationalized.

Unidentified Person: Yes, it's really interesting. I mean, they -- you know, in their targeting, this is not -- like I said earlier, like this is not a highly-technical group compared to some others. But one interesting thing they'll do is they'll usually just target a single account and a victim, as opposed to maybe going after multiple help desk or administrative accounts or people with higher privileges. They'll go after an executive of the company for a couple reasons, and it comes down to kind of efficiency, which is kind of a weird way to look at it. But the first reason would be access to sensitive data. So they may target like a chief research officer or somebody that has access -- from a pharmaceutical company, like somebody that has access to like sensitive testing records or things like that. And so from an access perspective, that's definitely very valuable for extorting, you know, it's very sensitive information that they would likely get a higher chance to pay out on. The other reason, which is kind of interesting, is especially when they target founders or CEOs, those people will have more influence over paying the extortion group, and so if you just target, say, a help desk employee, that might get you the access that you need to get potentially sensitive information there. But that person by themselves may not be super-influential in convincing the board or the executive team to pay the threat actor. And so I think that's one really interesting thing that this group does in targeting, especially founders and CEOs.

Sherrod DeGrippo: Why is everything so scary? Oh, my God. So it sounds like essentially this new wave of sort of Western-based crime operators are going to extremes that we really haven't seen from the traditional crime or actors over the past ten years. It sounds like they're really escalating.

Unidentified Person: I would say yes. I mean, we've definitely seen that trend over the past few years, and it's not just, you know, a single group that we've seen, it's multiple groups now, and just getting a little bit more personal and aggressive towards the victims. That's definitely not something -- you know, I've done incident response for ten to 15 years, and this trend is definitely unique compared to the stuff we used to deal with.

Sherrod DeGrippo: I think, too, something that people talk about a lot is, "Okay, so how do we protect ourselves?" And what do you typically say, "Make sure you're patched. Make sure you're up to date. Make sure your frontline staff has social engineering training so that they don't get social-engineered over the phone or text messages." But in this case, there's a physical threat.

Unidentified Person: Yes, it's definitely unique. You know, I think one thing that this group appears to rely on to target individuals is they'll use a lot of public information brokers out there, like think whitepages.com, like services like that that are just publicly available, those services will usually opt out or information is just kind of scraped and ingested into those services; and a lot of times without us even knowing or wanting them to be there. And so in order to protect ourselves better, I think you definitely want to go through and clean up, or you know, remove yourself from any of those services. I think just from a general privacy perspective I think it's just good hygiene.

Sherrod DeGrippo: Yes, I think that's kind of been something I've been hearing about a lot lately is going to the various search engines and having it remove your personal information, which we'll put in the show notes for this podcast episode, the two links for removing yourself from the two primary search engines, if you want to check that out. It's kind of a long process, but it's all clickable, so you can take a Sunday afternoon and sit and get yourself removed from various search engine results to kind of protect your data and really your contact information, right; that's the concern is that it's like your home address, your phone number.

Unidentified Person: That's really it, I think like your home address, your phone number, those kinds of things. I think the other big things, too, I think it's pretty common for people to reuse passwords for all their various like banking, personal email, all that stuff, and so most people don't use password managers or things like that to like create unique and complex passwords. Outside of the security community, I think most people just generally reuse the same password. And so that stuff over time does get leaked and so there are databases out there that are available for, you know, researchers and attackers to pull from. And so if you don't go through and periodically change your passwords or use some sort of password vault to, you know, create a unique password for everything, I think your chances of getting your identity compromised go up a lot.

Sherrod DeGrippo: Yes, with the amount of breaches that have happened across the spectrum over the landscape in the last couple years, I've used a password manager for -- I mean, I've been in security for 20 years, so like as soon as they came out, I was like, "Yes, I want to do this." And it saved me quite a few times in terms of sites that I used got breached and it's like, "Well, I created a random strong password that I don't even know what that password is that that site doesn't have some kind of two-factor or even two-step over text message, then I should be good." So I think password managers actually are a really important security step. The other thing that a password manager will do is once it's pretty filled out, it will tell you where you've reused passwords, which is important. It will say, "Hey, this is a reused password. You need to go change it."

Unidentified Person: Yes, for sure. I think on the other side, too, just not necessarily from like a password perspective, but just from like a business protecting their environment, things you can also do -- these are identity-based attacks usually so they're stealing credentials either through like SMS-based phishing, or SIM swapping, or things like that. And so protecting the environment from logons from unknown IP addresses or from other regions, like there are policies that you can set up to kind of restrict or limit that exposure. And so I think that that's definitely a -- from a more of an enterprise controls perspective, I think that's something that everybody should be doing.

Sherrod DeGrippo: Speaking of enterprise, is this threat actor, Luna Tempest, primarily targeting enterprise? Do you see any consumer targeting here?

Unidentified Person: I think based on our visibility, we've been really focusing more on like the enterprise like perspective. But just anecdotally, we don't have direct visibility into this. But a lot of these groups that have kind of come out of the COM, like they got their initial experience by doing things like crypto draining wallets. So that might be just targeting like more consumers or individuals. But that's not something that always like bubbles up to our level of visibility with a mystic. But I think it's definitely something that's pretty common here.

Sherrod DeGrippo: So I know that we talk a lot about our relationships and the community. This was a pretty heavily community-driven effort to track down Luna Tempest. What are we doing there with Friendship?

Unidentified Person: Yes, that's a good question. So when we spoke at SLEUTHCON, it was a joint presentation across a couple of different companies. And so I hit on visibility earlier. We all kind of have our like unique view into the activity. But typically, that's only like a small part of the overall like attacker life cycle or where they operate. And so if we ever want to have any like hope at disrupting this activity, a lot of us work with law enforcement to help investigate these groups. But I think collaborating, working. Microsoft does have some existing partnerships with other vendors, but I think that it's super important to kind of share findings, sharing things that not necessarily like consumer data, right, but we're sharing things like IP addresses in that context that we see the attacker operating from. And it might surface things in other vendors' visibility that they wouldn't have seen normally. And so I think the end goal there is to try to build as complete of a picture as possible that we can kind of share with law enforcement to eventually disrupt the actor.

Sherrod DeGrippo: Yes, I think that's something that hopefully we'll be talking about a little bit more is disruption. I know we touched on it a little bit with the Grandoreiro malware from the beginning of the show, but some of the disruptions that have happened over the past couple of years have had a significant impact. Even when things come back, they don't come back as strong a lot of times, so maybe we'll see some disruption there. And I will also comment on the community being absolutely amazing and really willing to share ultimately, regardless of where we work. I think that we all just want to get the same threat actors shut down. And that's just sort of the direction that everyone's going, which is why it's such a close-knit industry in terms of people being like very close and collaborative, even if they work at completely different places.

Unidentified Person: Yes. I totally agree. I think a lot of us have a common interest and passion at stopping the activity, and so that is kind of a team effort when you look back on it.

Sherrod DeGrippo: Well, thank you for listening to the Microsoft Threat Intelligence Podcast. I want to thank my analysts from Microsoft Threat Intelligence for joining me. And we will talk to you soon. Thanks for coming on. [ Music ] Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app.