A new information stealing malware is being distributed as malware-as-a-service (MaaS) by threat actors under the guise of fake cheats for popular video games. The malware known as Erbium is designed to harvest the credentials from the victims, stealing passwords and other login information for a range of accounts, including cryptocurrency wallets. Threat researchers CYFIRMA have released a report this week to disclose their new research and analysis of this stealer malware. The Cluster25 Threat Intel Team also released their own research earlier this month.
Erbium is a trojan that is being sold in hacker forums and criminal marketplaces. It has been identified in multiple countries worldwide, including the USA, India, Colombia, Vietnam, Malaysia, and many countries across Europe. Identified as early as July 2022 in Russian-speaking forums, this sophisticated malware contains obfuscated elements of code using XOR logic to evade detection by firewalls and other security measures. Malicious actors can purchase Erbium to steal passwords, 2FA authentication codes, and crypto wallet credentials, which they can then use later in other criminal campaigns, such as in ransomware attacks.
By tricking their victims into believing it is a video game cheat or crack that will give them an advantage in the game over other players, attackers lure individuals into downloading the stealer trojan. This hides itself in the DLL library in a %temp% location, triggering a process that calls the LoadLibraryA API. These DLL files connect with the Erbium C2 server, and an additional connection is established through chat service Discord’s Content Delivery Network (CDN) servers. Data stored in web browsers and extensions such as passwords, cookies, autofill information, crypto wallet information, and data from 2FA and password management software is then harvested and exfiltrated by the attackers.
Individuals can avoid falling victim to these sorts of attacks by avoiding downloading suspicious software. This includes avoiding potentially pirated software, and video-game cheats, which are available on non-official websites. Security managers can help protect their networks by filtering web browser traffic against block lists of malicious websites known to serve malware – both when devices are connected to the company network and when used at home.