Welcome to our new Weekly Digest by Disclosure Labs. Every week, we'll delve into the world of malicious programs and more.
This week, we'll be delving into Luna Grabber.
Overview
Luna Grabber is a malicious tool used to obtain sensitive information from the victim(s) computer from a wealth of applications that the user may have installed on their computer.
The application can obtain data from applications such as Discord, Google Chrome, Minecraft, Roblox and more.
In addition, they program can obtain information from your system, such as your IP address, computer specifications and complete other general functions such as take screenshots of your computer.
High-level information overview
The program takes the following information:
Discord Information
- Token
- Nitro Information
- Billing Information (such as linked billing details)
- 2FA status (and codes)
- Phone Number
- Gift Codes
- Backup Codes
Browser Data
- Stored Cookies
- In-browser stored passwords (such as ones saved when the prompt shows when logging into a new website)
- Browser History
- Stored Credit Cards and other billing information
Game Data
- Minecraft Session Information
- Roblox Cookie and other session information
Discord Injection
This function is specific to Discord, that tracks the token, email and password you have entered when you change your password if the program is still running on your PC
System Information
- Current user
- Operating System
- Network IP
- Wifi
- Mac Address
- Hardware ID
- PC Specification
- Screenshot of desktop (at the time it is run)
General Functions
- Ability to check if the program is being run in VirusTotal or a Virtual Machine
- Check for any blacklisted users, PC names, Hardware IDs, MAC addresses and processes
- Ability to add the file to startup through Registry Keys
- Fake Error
- Program Obfuscation
- Change icon on program
- Lower detection rates
- Bypass token protector
- File pumper
- Self destruction ability
Vulnerability Severity
Disclosure Labs uses private internal tooling to determine the severity of which a malicious program could affect a business or individual.
The most used threat label for Luna Grabber is trojan.python/reverseshell
Luna Grabber is considered one of the more severe malicious tools. Luna Grabber does have the ability to cause a severe breach on a business, however, you do have to keep in mind the tools that your company or individual may use.
Luna Grabber is a Python script, however, it can be built into an executable file. Luna Grabber can be totally customised, allowing users of it to change the name and even the icon of the program.
From our testing, Luna Grabber does not specifically scan for browser directories or scan for stored cookies, passwords or Credit Card information on obscure browsers or modified versions of Chromium. Luna Grabber only targets specifically Chrome, default Chromium, Edge and Internet Explorer. However, if you use a modified version of Chromium such as Brave, Arc, or another browser, you should be safe unless they update the malware to include more obscure browsers.
You may leave yourself vulnerable to breaches or other forms of data control issues due to the fact the malware can screenshot your desktop - this includes all windows open at the time of the malware being opened. From our testing, it does not seem as if the malware can proactively screenshot your desktop, instead taking a screen capture every time you open the program and sending it to the bad actor(s).
For personal use, you may run into issues if you use the popular chat platform Discord. The malware does have the ability to take sensitive information such as your token, which allows any bad actor to log into your Discord without requiring your email or password, and 2FA does not affect this. In addition, it also shows the bad actor information that affects your account, such as linked card information, if you have purchased their subscription called Discord Nitro, and more.
The malware also has the ability to add itself to your registry, meaning it will always start on startup, providing the bad actor a screenshot of your desktop everytime you boot your PC to the desktop.
Information Transmission
The information that the malware obtains is transmitted to the bad actor(s) using a Discord Webhook.
Detection rates
Luna Grabber has a very low detection rate for being such a sensitive piece of malware. After a VirusTotal scan, only 14 out of 67 possible vendors detected the executable file as malware, with big names such as BitDefender and Sophos not detecting the file as malware.
External resolutions
While the malware is sensitive, it does not make many DNS connections outside of non-malicious websites. According to our testing, the malware only sends a DNS request to Ipify in order to get your IP, and the Discord webhook which it is sending your information to.
Other than that, pretty harmless.
Preventing against a cyber attack
You should always report to Action Fraud when you have experienced a cybersecurity breach that may have exposed sensitive information pertinent to you, and if you have been breached when you are working, you should always contact the ICO and make them aware of the data breach.
If this attack was done by someone you know, always contact the police on 101 to report a cybersecurity attack. Using malicious programs with the intent to steal sensitive information is against the Computer Misuse Act 1990.
Antivirus
You should always have an antivirus on your computer to ensure you're secure. NatWest customers (and any customers who bank under NatWest group) get a free year of MalwareBytes for as long as they are a customer at NatWest or the affiliated bank.
You are also able to claim this if you have a business account.
Top comments (0)