The new information-stealing malware “Erbium” is distributed as fake cracks and cheats for popular video games to steal victims’ credentials and cryptocurrency wallets.
Erbium is a new Malware-as-a-Service (MaaS) that provides subscribers with new information-stealing malware that is gaining popularity in the cybercriminal community due to its extensive functionality, customer support and competitive pricing.
Researchers from The Cluster25 team were the first to report on Erbium earlier this month, but a new report from Cyfirme shares additional information about the distribution of the password-stealing Trojan.
New Malware-as-a-Service Operation
Erbium has been promoted on Russian-speaking forums since July 2022, but its actual deployment in nature is so far uncertain.
Erbium initially cost $9 per week, but since its popularity surged in late August, the price has risen to $100 per month or $1,000 for a full year’s license.
Compared to the “de facto” choice in the field, the RedLine thief, Erbium’s cost is around a third, so it aims to disrupt the market for malware commonly used by threat actors.
Like other information-stealing malware, Erbium will steal data stored in web browsers (Chromium or Gecko-based), such as passwords, cookies, credit cards, and autofill information.
The malware also attempts to exfiltrate data from a large number of cryptocurrency wallets installed on web browsers as extensions.
Cold desktop wallets like Exodus, Atomic, Armory, Bitecoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash and Jaxx are also stolen.
Erbium also steals two-factor authentication codes from Trezor Password Manager, EOS Authenticator, Authy 2FA and Authenticator 2FA.
The malware can capture screenshots of all monitors, snatch Steam and Discord tokens, steal Telegram authentication files, and profile the host based on operating system and hardware.
All data is exfiltrated to the C2 via an integrated API system, while operators get an overview of what has been stolen from each infected host on an Erbium dashboard, shown below.
The malware uses three URLs to connect to the panel, including Discord’s Content Delivery Network (CDN), a platform that malware operators have widely abused.
Although Erbium is still a work in progress, users of hacker forums have praised the author’s efforts and willingness to listen to customer requests.
Cluster25 has reported signs of Erbium infections around the world, including in the United States, France, Colombia, Spain, Italy, India, Vietnam and Malaysia.
While the first Erbium campaign uses game cracks as decoys, distribution channels could diversify significantly at any time, as buyers of the malware may choose to distribute it via different methods.
To keep your system safe from the threat, avoid downloading pirated software, scan all downloaded files on an antivirus tool and keep your software updated by installing the latest available security patches.