The new “Erbium” information-stealing malware is being disseminated as false cracks and cheats for well-known video games to steal users’ login information and cryptocurrency wallets. Erbium is a new Malware-as-a-Service (MaaS) that gives customers access to new information-stealing malware. It is growing in popularity among cybercriminals because of its broad capabilities, responsive customer service, and affordable price. Erbium was discovered earlier this month by researchers from Cluster25, but a new paper from Cyfirma provides further details on how the password-stealing trojan is disseminated.
Since July 2022, Erbium has been advertised on Russian-speaking forums, although it is still unclear if it will be used in the wild. The price of Erbium increased from $9/week to $100/month or $1000 for a full-year license as its popularity grew in late August. Erbium aims to disrupt the malware market that threat actors frequently employ since it is around one-third cheaper than RedLine Stealer, the “defacto” option in the industry.
Erbium will steal data saved in web browsers (based on Chrome or Gecko), including passwords, cookies, credit card information, and autofill data. The malware also tries to steal data from several bitcoin wallets that have been added as extensions to web browsers. Exodus, Atomic, Armory, Bitecoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash, and Jaxx are just a few examples of cold desktop wallets that have been hijacked.
Authy 2FA, Authenticator 2FA, EOS Authenticator, and Trezor Password Manager are among the other two-factor authentication systems that Erbium steals. The malware can steal Telegram auth files, take screenshots from all displays, steal Steam and Discord tokens, and OS and hardware-based host profiling. The operators may see a summary of the information taken from each infected host on the Erbium dashboard, while all data is exfiltrated to the C2 via an integrated API system.
The malware connects to the panel via three URLs, one of which is Discord’s Content Delivery Network (CDN), a network that malware operators have widely abused. Users on hacker forums have applauded the author’s efforts and openness to client demands, even if Erbium is currently a work in progress. Worldwide, including in the USA, France, Colombia, Spain, Italy, India, Vietnam, and Malaysia, Cluster25 reported symptoms of Erbium infections.
Although the first Erbium campaign employs game cracks as its baits, buyers of the virus may opt to push it using various techniques at any time, which might result in a massive diversification of the distribution routes. Avoid downloading pirated software, run an antivirus scan on all downloaded files, and keep your software up to date by applying the most recent security updates to keep the danger from entering your system.