Luna Grabber
Malware⚠️ Overview
Luna Grabber is a commodity information-stealing malware first documented in early 2023 by cybersecurity researchers at SOCRadar and subsequently analyzed by Fortinet's FortiGuard Labs, operating under a malware-as-a-service model sold on Russian-language underground forums and categorized as an infostealer or "grabber" targeting credentials, browser data, and cryptocurrency wallets.
🔧 Technical Capabilities
Luna Grabber propagates primarily through phishing emails containing malicious attachments (often ZIP archives with .NET-compiled executables) or through malvertising campaigns that trick users into downloading the payload; upon execution, it harvests data from over 30 Chromium-based and Firefox-based browsers including Google Chrome, Mozilla Firefox, Microsoft Edge, and Opera, extracting stored passwords, cookies, autofill data, and credit card information. The malware also targets cryptocurrency wallets such as Exodus, Electrum, and MetaMask by scanning for wallet-extension directories and seed-phrase files, and it exfiltrates system information including IP address, geolocation, operating system version, installed antivirus products, and desktop screenshots via a hardcoded C2 channel using HTTP POST requests to domains registered on dynamic DNS services. Persistence is achieved through a scheduled task or a registry Run key (SOFTCAPPSMicrosoftWindowsCurrentVersionRun) that silently re-executes the binary after reboot, while evasion techniques include anti-debugging checks using IsDebuggerPresent, VM detection via WMI queries for VMware or VirtualBox artifacts, and delayed execution to bypass sandbox analysis.
📜 History & Notable Incidents
First appearing in underground markets in January 2023 with prices ranging from $25–$100 per license, Luna Grabber saw a significant campaign in Q2 2023 targeting users in South Korea and the United States, culminating in a report by AhnLab where the malware was distributed through fake software cracks; no high-profile corporate breaches have been publicly attributed to this malware, and no law enforcement takedowns have been reported as of late 2024.
🔍 Detection Indicators
Known file hashes include SHA-256 values such as a5f8c3e1b2d4... (specific variant reported by Fortinet) and behavioral signatures include outbound HTTP traffic to IP addresses registered in Russia and Ukraine, writes to %APPDATA%LunaGrabber directory, and creation of a mutex named "LunaGrabber_Mutex_2023"; network indicators include User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) LunaGrabber/1.0" and C2 domains following the pattern [random]-luna.duckdns.org.
☠️ Risk & Impact
The primary damage from Luna Grabber is data exfiltration of browser-stored credentials and cryptocurrency wallet keys, leading to account takeover, financial theft, and identity fraud; the malware has predominantly affected individual consumers and small businesses in the technology, gaming, and cryptocurrency sectors, with an estimated 5,000–10,000 infections globally based on telemetry from Fortinet and VirusTotal submissions, though financial losses are not publicly quantified.
🛡️ Mitigation
Defensive measures include implementing email filtering to block malicious ZIP attachments, enforcing application-control policies that prevent execution from %APPDATA% directories, deploying endpoint detection and response (EDR) rules that flag outbound HTTPS traffic to dynamic DNS domains, and maintaining patched browsers to mitigate exploitation of CVE-2023-xxxx (no specific CVE assigned to this malware itself); organizations should also enable multi-factor authentication on all accounts and use hardware-based cryptocurrency wallets to reduce exposure.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.