Erbium Infostealer Spreads as Game Cracks and Cheats

By Ava McKinneyOnline Safety

Erbium Infostealer Spreads Disguised as Game Cracks and Cheats

Earlier this month, analysts from Cluster25 discovered a new malware called Erbium, designed to steal data. Now, researchers at Cyfirma report that this malware is being distributed under the guise of cracks and cheats for popular games, stealing victims’ account credentials and cryptocurrency wallet information.

Erbium is a new Malware-as-a-Service (MaaS) focused on information theft. According to experts, the malware is quickly gaining popularity in the hacker community due to its extensive features, customer support, and competitive pricing.

Erbium has been advertised mainly on Russian-language hacker forums since July 2022, but there is still little information about its actual use by cybercriminals. Initially, the malware cost just $9 per week, but as its popularity grew, the price increased to $100 per month or $1,000 for an annual license by the end of August. This makes Erbium about one-third cheaper than the popular RedLine infostealer.

Features and Capabilities

Like other data-stealing malware, Erbium can steal information stored in victims’ browsers (based on Chromium or Gecko), including passwords, cookies, banking card data, and autofill information. The malware can also extract data from various cryptocurrency wallets installed as browser extensions.

Additionally, Erbium targets cold desktop wallets, including Exodus, Atomic, Armory, Bitcoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash, and Jaxx.

Erbium is also capable of stealing two-factor authentication codes from Trezor Password Manager, EOS Authenticator, Authy 2FA, and Authenticator 2FA.

Beyond these features, the malware can take screenshots from all monitors connected to the infected user’s computer, steal Steam and Discord tokens, extract Telegram authentication files, and create a profile of the infected host based on its operating system and hardware.

Data Transmission and Control

All data collected by Erbium is sent to a command-and-control server via a built-in API system. In the admin panel, malware operators can see exactly what was stolen from each infected host. To connect to the control panel, the malware uses three URLs, including Discord’s CDN, which hackers continue to abuse actively.

Global Spread and Distribution Methods

According to Cluster25, signs of Erbium infections have already been detected worldwide, including in the United States, France, Colombia, Spain, Italy, India, Vietnam, and Malaysia.

Although the campaign discovered by Cyfirma uses game cracks and cheats as bait and infects victims through drive-by downloads, experts warn that the malware’s distribution channels may change depending on the preferences of its buyers.

Leave a Reply