The Lunar malware builders aren’t unique: There are many varieties of “grabber builders” available online.
Sometimes when you’re doing research, you stumble across something unexpected. That’s what happened to the Avast team when they were investigating ransomware. They found something that seemed like regular ransomware, but there were a few weird things that caught their eye. The first: The requested ransom fee was only $25.
Upon further investigation, the team found that this malware was encrypting files and renaming them with the extension “.LUNAR.” They also found other malware in the family, but instead of ransomware they were information stealers and crypto miners.
The team was confused — this malware family wasn’t in the vein of the usual stuff they come across. Why was someone taking the time to create and spread something that had such a low profit possibility? And why the variety?
They kept digging and found a Discord server dedicated to a “Lunar” malware family, which they quickly determined was a “malware-as-a-service” product. Malware-as-a-service is a recent trend that allows people to hack other people without any programming or technical skills. It’s basically plug-and-play hacking for whomever is interested, only requiring users to determine details like a custom icon or a binary to be used as a carrier for the malicious code.
The creator of the malware was selling it on the Discord server, taking suggestions from clients, and even hosting giveaways. Community members were sharing plugins with each other or sometimes just hanging out to chat. And as the Avast team spent more time in the community, observing their behavior and vocabulary, they realized something surprising: most of the members were minors between the ages of 11 and 16.
“We presume that this is exactly the reason why the author of Lunar, known on Discord as Nex, advertises low prices (5-25 EUR) for access to their malware builder,” Avast malware researcher Jan Holman says. “This hypothesis is also supported by a fact that a lot of the malware’s functionality, and definitely most of the plugins submitted by other members of the community, are aimed at annoying victims rather than causing actual harm.”
They also realized that, while the Lunar malware builder included options like password and information stealing, crypto mining, and ransomware, that wasn’t what they primarily advertised. Instead, they focused on features like stealing gaming accounts, deleting Fortnite or Minecraft folders, or repeatedly opening a web browser with Pornhub.
In other words: Pranks that teenagers might be interested in.
The Lunar malware builders aren’t unique: There are many varieties of “grabber builders” available online. They’re usually short-lived malware campaigns based on a source code from GitHub or even some other builder, rebranded with a new logo and name, and sometimes slightly tweaked or modified with new functionality.
While they vary somewhat in the functionality they offer, the functionality they deliver, and the obfuscation used, they’re all fundamentally the same. They have similar .NET-based GUIs with slightly different layouts, color pallets, names, and logos. Still, they offer the same primary function: generating custom malware samples by checking a few checkboxes and filling a few form fields.
The Avast team has seen many similar builders to Lunar, such as Itr0ublveTSC, Mercurial, Snatch, HideGrabber, PirateStealer, AsteroidLLC, Stely, Viny, Rift, etc. These builders share some code and have a similar modus operandi. The other builders also have similar groups and communities online.
Discord confirmed they take action to address these types of communities, and has banned the servers associated with Avast’s findings.
Once the teens have the malware-as-builder, they have to figure out how to deploy it, a task in which the community often assists. They might disguise the malware as cracked games or game hacks or make them inconspicuous by using icons and filenames of legitimate game executables. Sometimes they even bundle them with actual benign binaries, essentially sneaking the malicious code onto a victim’s device in disguise.
They also lure victims through things like “bait” videos on YouTube, encouraging people to download the desired media. Once the attacker has the video set up, they post it in the Discord server and all of the other community members go to comment on it, providing social validation for potential victims. They even go so far as to “warn” victims that their antivirus might block it and give instructions on how to let the file slip through by allowing exceptions.
“We strongly caution against downloading cracked software and game cheats and especially against ignoring antivirus warnings and creating exceptions for such programs,” Avast malware researcher Jan Holman says. “If your AV program flags a keygen or a cracked game as malware, chances are it really does contain malware. It is not the AV's job to care about the legality of your software.”
But while there seems to be community support, there’s also plenty of conflict. The Avast team observed infighting, instability, potential bullying, and members stealing each others’ code and selling it themselves. These communities tend to flare up and die down quickly, as builders become bored or the negativity of the group becomes too much.
When it comes to actual threats, the impact of this group is relatively low. The Avast team didn’t plan on spending much time at all on it, but they chose to share their findings specifically because the people involved — both perpetrators and victims — are primarily minors.
That’s very clear from the conversations, which include open banter about age, comments like “I don’t want to use my mom's paypal,” and conversations about taking over a teacher’s device during class. Discord shared with Avast that they advise parents to help tailor the child’s settings to prevent them from receiving messages from strangers. More safety tips for parents can be found on the Discord blog.
Screenshots from Discord related to the Lunar builder.
“These communities may seem attractive to kids as hacking is seen as cool and malware builders provide a cheap and easy opportunity to ‘hack’ someone and to brag about it to peers,” Holman says. “They can also offer a chance to learn a bit of programming; the community is somewhat helpful in that area. However, these acts are still illegal and deserve to be noted.”
The Threat Labs team also points out that the operational security in these groups was poor, with social media accounts easily accessible or personal information directly shared in the chat. And finally, while the actions taken by the perpetrators could be viewed as childish pranks, they could also put their victims — and their victims’ parents, if they share devices — in real danger, potentially exposing their sensitive data to professional cybercriminals.
Following the discovery and analysis of the server by Avast Threat Labs, researchers notified Discord who later took the server offline.
Our young people are always learning. It’s a great time to expand their cyber education to help keep them safe in the classroom.
The beginning of the school year is the perfect time to boost your child’s digital literacy by talking to them about online safety, cybersecurity in school, and celebrating their digital milestones.