A new malware-as-a-service (MaaS) operation – Erbium – is gaining popularity in the cybercrime community. The MaaS provides strong customer support, the malware is competitively priced, and it has extensive functionality.
According to a recent report from Cyfirma, the MaaS operation has been advertising on Russian language hacking forums since at least July. Initially, the malware was offered for just $9 per week, although due to the popularity of the malware, the cost was increased to $100 per month or $1,000 per year. Currently, the go-to malware for the cybercrime community is RedLine stealer, but Erbium is disrupting the market as it is offered for around one-third of the price. While Erbium is clearly a work in progress, it has attracted good reviews from users and is sure to increase in popularity.
Erbium is an information stealer that will steal passwords and credit card numbers stored in Chromium or Gecko-based web browsers, as well as cookies and autofill information, and can steal 2FA codes from Trezor Password Manager, EOS Authenticator, Authy 2FA, and Authenticator 2FA.
The malware attempts to steal from cryptocurrency wallets that have been installed on web browsers as extensions and cold desktop wallets including Armory, Atomic, Bitecoin-Core, Bytecoin, Coinomi, Dash-Core, Electron, Electrum, Ethereum, Exodus, Jaxx, Litecoin-Core, Monero-Core, and Zcash.
The Microsoft Visual C++ malware will gather information on the operating system, installed applications, and hardware, can enumerate drives, paths, files, and folders, and can load libraries, processes and DLLs in the memory, take screenshots, and steals Steam and Discord tokens, and Telegram auth files. The malware has an in-built API data exfiltration system, with the users of the malware given access to a dashboard that provides a view of the data that has been stolen from each victim.
Currently, the malware is being distributed in fake cracks and product activators for software and cheats for popular video games. The best defense against the malware is to avoid downloading pirated software. It is probable that other methods of distribution will also be used, so it is also recommended to make sure software is kept up to date with the latest security patches applied promptly, and for antivirus software to be used to scan all files downloaded from the Internet or received via email prior to opening.
According to the DuskRise Cluster 25 team, which first described the malware, Erbium has the potential to become one of the most commonly used information stealers due to its extensive capabilities and competitive pricing.