Researchers on the Cluster25 Intel Team have reported on a new strain of stealer malware available for purchase with a recurring subscription on Russian hacking forums. The operators behind Erbium seem to be trying to disrupt the Malware-as-a-Service (MaaS) market by providing their stealer malware at a fraction of the cost of its competitors.
Erbium aims to steal a vast swath of data from victim hosts:
- Desktop screenshot from all monitors.
- PC information (CPU, GPU, DISK, RAM, number of monitors, monitor resolutions, monitor resolutions, MAC, Windows version, Windows owner, PC name, PC architecture, Windows license key)
- Passwords, cookies, history, maps, autofill from most popular browsers based on Gecko and Chromium
- Cold wallets from browsers (MetaMask, TronLink, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaxx Liberty, BitApp Wallet, iWallet, Wombat, MEW CX, GuildWallet, Saturn Wallet, Ronin Wallet, NeoLine, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox, Cyano Wallet, Byone, OneKey, LeafWallet, DAppPlay, BitClip, Steem Keychain, Nash Extension , Hycon Lite Client, ZilPay, Coin98 Wallet, Harmony, KardiaChain, Rabby, Phantom, TON Crystal Wallet)
- Other browser plugins (Authenticator, Authy, Trezor Password Manager, GAuth Authenticator, EOS Authenticator)
- Steam (list of accounts and authorization files)
- Discord (tokens)
- FTP clients (FileZilla, Total Commander)
- Telegram (authorization files)
- Cold desktop wallets (Exodus, Atomic, Armory, Bitecoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash, Jaxx)
The primary delivery mechanism for Erbium is currently centered around video game cracks and cheats. However, delivery methods can change at any time. Cluster25 believes that Erbium could become the stealer of choice for threat actors due to its affordability and wide range of capabilities.
Erbium displays the importance of only downloading files from trusted sources. Cracked (free) games are a tempting target for many gamers that can’t afford to play the latest and greatest games on the market and are in the position to be more susceptible to downloading questionable programs.
At the very least, users should scan any downloaded files using Windows Defender or antivirus software of choice, as well as upload the downloaded file to a website like VirusTotal to see if any additional AV vendors indicate suspicion.
Often, game cracks and cheats will tell users that being flagged by AV is expected, due to the nature of software cracking and that users should ignore any alert. Extreme caution should be exercised when executing these cracked games and cheats.