A malware author writing malware

Erbium stealer on the hunt for data

There’s a new slice of malware-as-a-service doing the rounds, although its actual newness is somewhat contested. The stealer, called Erbium, was first spotted on forums back in July 2022, but it seems nobody is quite sure when it started being deployed and snagging victims. Nevertheless, it is now happily causing chaos for victims as it looks to steal a sizeable portion of data from infected machines.

A slick tool with its own fully functional dashboard, its sights are set on targets not entirely dissimilar to other data stealers. System data collection, drive enumeration, and loading processes and DLLs into memory are all tell-tale signs that bad things are afoot on the target computer.

Erbium targets multiple forms of cryptocurrency wallet, along with password managing software and two-factor authentication (2FA) data. Connections are made to Discord’s Content Delivery Network in order to potentially download more malware. According to the latest research available, it leans into that well worn tactic of plundering several forms of web browser for passwords, autofill data, and also cookies. Browsers listed include Firefox, Chrome, Pale Moon, and even email client Thunderbird gets a mention.

In fact, many of the cryptocurrency wallets targeted are browser extensions. According to Bleeping Computer, this includes iWallet, Clover Wallet, Steem Keychain, ZilPay and many more. Several cold wallets are also in the malware’s crosshairs, and to top it all off it does of course have the ability to take screenshots of the victim’s desktop.

The most recent campaign described by researchers uses well worn tricks which never seem to go out of fashion. Specifically: Malware stored on free file hosting, posing as cheats or cracks. Using free file hosting for malware storage makes it easy for its operators to set up shop somewhere else, should the malware be taken down by the hosts.

The attackers are said to make use of drive-by download techniques to spread the files—a term that covers all forms of unintended software installation, such as software installed via browser exploits, or bundled with legitimate downloads. There are no more specifics, but outside of this campaign, it is very common to see these sorts of files promoted on fake Youtube videos or even in the comments under legitimate videos.

Once enough data is gathered by the malware authors, it’s off to the underground marketplaces to trade and / or sell the stolen information. Erbium has become very popular in recent months, with Bleeping Computer reporting the cost of doing business has risen from $9 per week to $100 per month.

Competition is fierce in malware-as-a-service land, but Erbium seems to be sticking around.

Users of Malwarebytes are protected from the two payloads mentioned in the Duskrise article [1], [2], and the various payloads [1], [2] listed in the Cyfirma writeup.

Stay safe out there!


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.