Erbium info-stealing malware, a new choice within the risk landscape


The recently discovered Erbium information-stealer is being distributed as pretend cracks and cheats for popular video games.

Threat actors behind the new ‘Erbium’ information-stealing malware are distributing it as faux cracks and cheats for popular video games to steal victims’ credentials and cryptocurrency wallets.

The Erbium info-stealing malware was first noticed by researchers at menace intelligence firm Cluster25 on July 21, 2022. The Malware-as-a-Service (MaaS) was marketed on a Dark Web discussion board by a Russian-speaking risk actor.

The creator said that he spent a quantity of months growing Erbium which supports distinctive functionalities. According to cybersecurity agency Cyfirma, the Erbium Stealer helps the following capabilities:

  • Ability to enumerate drives.
  • Ability to enumerate paths, information, and folders.
  • Capability to load different libraries, processes, and DLLs in memory.
  • Ability to Gather System Information.
  • Network communication functionality.
  • Collecting user credentials, such as passwords, from a spread of in style chat and e mail packages, in addition to internet browsers.
  • Ability to acquire data from numerous installed functions.
  • Ability to acquire cryptocurrency wallet info [log-in credentials and stored funds].
  • Ability to collect knowledge of Authentication (2FA) and password-managing software.

“Recently CYFIRMA’s analysis team detected a new sample of Erbium stealer in wild. We observed one of the current gaming campaigns where the risk actors lure gamers/players who wish to purchase an unfair or prohibited edge over different gamers with the malicious binary posted on MediaFire [free service for file hosting].” states CYFIRMA. “Threat actors are spreading this malware utilizing drive-by-download methods and pretending as cracked software/game hacks.”

Experts at Cyfirma lately analyzed a brand new sample Erbium stealer in the wild concentrating on gamers and gamers. Threat actors have been providing to the gamers malicious binaries masquerading as software program that may give them a prohibited edge over other gamers.

Initially, the malware was sold at a price ranging between 9 to 150 dollars depending on the subscription plan that goes from one week to 1 yr of license. Starting from July, the authors significantly increased the value which ranges from 100 dollars as a lot as a thousand dollars for a one-year subscription and entry to a control panel.

erbium control_panel-1

Cluster25 researchers found that the malware is administered by way of a Telegram bot.

The malware can harvest the following data from the victim systems:

  • Desktop screenshot from all screens.
  • System information (CPU, GPU, DISK, RAM, variety of displays, monitor resolutions, monitor resolutions, MAC, Windows model, Windows proprietor, PC name, PC structure, Windows license key)
  • Passwords, cookies, history, maps, autofill from hottest browsers primarily based on Gecko and Chromium
  • Cold wallets from browsers (MetaMask, TronLink, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaxx Liberty, BitApp Wallet, iWallet, Wombat, MEW CX, GuildWallet, Saturn Wallet, Ronin Wallet, NeoLine, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox, Cyano Wallet, Byone, OneKey, LeafWallet, DAppPlay, BitClip, Steem Keychain, Nash Extension , Hycon Lite Client, ZilPay, Coin98 Wallet, Harmony, KardiaChain, Rabby, Phantom, TON Crystal Wallet)
  • Other browser plugins (Authenticator, Authy, Trezor Password Manager, GAuth Authenticator, EOS Authenticator)
  • Steam (list of accounts and authorization files)
  • Discord (tokens)
  • FTP shoppers (FileZilla, Total Commander)
  • Telegram (authorization files)
  • Cold desktop wallets (Exodus, Atomic, Armory, Bitecoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash, Jaxx)

“Erbium is an info-stealer capable of strongly impacting the confidentiality and integrity of the information and data contained in the techniques it affects and is an example of how the panorama of malicious instruments is consistently evolving, offering proposals which might be increasingly inside attain of all, in consideration of the low promoting prices.” says Emanuele De Lucia, Director of Cyber Intelligence presso Cluster25.

According to Cluster25 visibility, the malware has already infected techniques in multiple countries, including the USA, France, Colombia, Spain, Italy, India, Vietnam, and Malaysia.

“Cyber-crime is continually evolving within an underground market where it is not uncommon to return throughout new proposals for the acquisition of MaaS options. In Cluster25’s opinion Erbium might become one of the used infostealers by cyber criminals because of its wide range of capabilities and due to the rising demand for MaaS.” concludes Cluster25.

Both Cluster25 and Cyfirma shared Indicators of Compromise (IoCs) for this menace.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Erbium stealer)

Share On


Please enter your comment!
Please enter your name here