A new Erbium password-stealing malware is being distributed to users via fake game cracks. The malware can steal sensitive information from victims, including credentials from various online accounts and cryptocurrency wallets.
Erbium is a new Malware-as-a-Service (MaaS) capable of stealing sensitive information from users under the sham of being a game crack. The malware is popular in underground hacking forums and has exceptional functionality, customer support, and competitive pricing than most of its peers.
Researchers at Cluster25’s reported about the malware earlier this month, and another cybersecurity firm shared information about how the password-stealing trojan works and distributes to victims.
Erbium password-stealing malware
Erbium was being promoted on a Russian-speaking forum and had multiple packages for TAs for use. According to sources, Erbium initially cost $9 for a one-week campaign. However, with its recent popularity and usage among threat actors, the price went up to $100 per month or $1000 for a full-year license.
Erbium is relatively cheaper than most popular malware on the market, is capable of stealing stored data sets in web browsers, and is proficient in stealing passwords, cookies, credit cards, and autofill information.
The malware can exfiltrate data from cryptocurrency wallets via a web browser. It can steal credentials and funds from cold desktop wallet providers, including Bitcoin-Core, Bytecoin, Dash-Core, Electrum, Electron, and more.
The malware can bypass two-factor authentication codes from popular 2FA apps like Trezor Password Manager, EOS Authenticator, Authy 2FA, and Authenticator 2FA. Once deployed, the malware can grab screenshots from the screen and steal sensitive information about user’s activity on websites and their profiles on different accounts.
How does Erbium operate?
Once the TA has enough data on its victims, all the information is exfiltrated to the C2 via a built-in API system. The threat actor, at this point, has access to all the stolen data and lists it inside the Erbium dashboard.
According to sources, the malware uses three URLs to connect to the panel. Though the malware is still in progress and has yet to achieve its full potential, many threat actors praise the developer’s efforts and are willing to employ the malware in their campaigns.
According to Cluster25, Erbium has successfully infected victims in the USA, France, Colombia, Spain, Italy, India, Vietnam, and Malaysia.