The Erbium malware threat is being offered for sale to interested cybercriminals in a new Malware-as-a-Service (MaaS) scheme. The earliest the threat was observed being promoted on Russian hacker forums was in July 2022. Back then, Erbium was available for just $9 per week, but due to its quick adoption among cybercriminals and rise in popularity, the price was increased to $100 per month or $1000 for a year-long license just a few months later. Even after the increase, Erbium is still being offered at just a third of the price of the RedLine Stealer, the most commonly used stealer among cybercriminals. Information about Erbium was first shared by the infosec researchers at Cluster25 with additional details being provided by a report by Cyfirma.
Erbium is equipped with an expansive set of invasive features, which is one of the main reasons for its surge in adoption among hackers. The threat can collect data from numerous Chromium and Gecko-based Web browsers, including passwords, cookies, information saved as autofill data, credit/debit card numbers, etc. Furthermore, it can extract data from over 40 different cryptocurrency wallets installed as browser extensions. Even desktop wallets can be compromised with Erbium targeting Bytecoih, Dash-Core, Electrum, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash, Jaxx, Exodus, Atomic and more.
In addition, threat actors can use Erbium to intercept 2FA (Two-Factor Authentication) codes for several password-manager and authentication applications - EOS Authenticator, Authy 2FA, Authenticator 2FA and Trezor Password Manager. The threat can be instructed to take screenshots from all monitors connected to the breached device, collect Steam/Discord tokens and harvest Telegram auth files. OS and hardware details also may be included in the exfiltrated data.
So far, attacks deploying Erbium have been identified in multiple countries spread across several continents. Infections have been reported in France, Spain, Italy, the USA, Colombia, India, Vietnam and Malaysia. The typical infection vector begins with the victims looking for and downloading fake cracks and cheats for popular video games.