Researchers on the Cluster25 Intel Team have reported on a new strain of stealer malware available for purchase with a recurring subscription on Russian hacking forums. The operators behind Erbium seem to be trying to disrupt the Malware-as-a-Service (MaaS) market by providing their stealer malware at a fraction of the cost of its competitors.
Erbium aims to steal a vast swath of data from victim hosts:
- Desktop screenshot from all monitors.
- PC information (CPU, GPU, DISK, RAM, number of monitors, monitor resolutions, monitor resolutions, MAC, Windows version, Windows owner, PC name, PC architecture, Windows license key)
- Passwords, cookies, history, maps, autofill from most popular browsers based on Gecko and Chromium
- Cold wallets from browsers (MetaMask, TronLink, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaxx Liberty, BitApp Wallet, iWallet, Wombat, MEW CX, GuildWallet, Saturn Wallet, Ronin Wallet, NeoLine, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox, Cyano Wallet, Byone, OneKey, LeafWallet, DAppPlay, BitClip, Steem Keychain, Nash Extension , Hycon Lite Client, ZilPay, Coin98 Wallet, Harmony, KardiaChain, Rabby, Phantom, TON Crystal Wallet)
- Other browser plugins (Authenticator, Authy, Trezor Password Manager, GAuth Authenticator, EOS Authenticator)
- Steam (list of accounts and authorization files)
- Discord (tokens)
- FTP clients (FileZilla, Total Commander)
- Telegram (authorization files)
- Cold desktop wallets (Exodus, Atomic, Armory, Bitecoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash, Jaxx)
The primary delivery mechanism for Erbium is currently centered around video game cracks and cheats. However, delivery methods can change at any time. Cluster25 believes that Erbium could become the stealer of choice for threat actors due to its affordability and wide range of capabilities.
