Over the past few months, a new info stealer has emerged. Erbium Stealer is developed by an underground Russian-based group that has been operating since July.
The group seems to work very professionally, creating proper documentation and keeping their clients in the loop regarding new features on an almost weekly basis, via their Telegram channel.
Like many other info stealers that emerged this year, Erbium uses the Telegram infrastructure as its C2 infrastructure, and focuses on popular assets that info stealers usually look for such as saved browser cookies and passwords, Crypto wallets, PC information, gaming platforms, Discord and Telegram credentials, etc.
The Cyberint Research Team has found a campaign in which SmokeLoader is used to spread and load the newly introduced Erbium Stealer.
Advertising & Business Model
The threat group developing the Erbium stealer puts its best foot forward to show that their product is unique and well maintained. Although Redline remains the undisputed king of info stealers at the moment, the industry keeps introducing us to new ambitious contenders, and Erbium is one of them.
The group often advertises its product on underground forums (Figure 1) and tries to grow its Telegram community, which already has a few hundred members.
Currently, the group offers several plans for their clients varying between $70 and $1000, depending on the subscription period and panel support (Figure 2).
The group also created a payment bot for their clients’ convenience, so basic actions such as subscribing and basic campaign management capabilities such as changing the C2 link are available.
Erbium is not only investing its advertising efforts in forums. in a somewhat unique method, we haven’t seen from other info stealers, Erbium makes use of referral programs through which they reward subscribers for adding new members to the “Erbium family”.
Other Advertising Gimmicks
Erbium is looking to stay active within its growing community. They operate a lottery where they provide license keys for one day (Figure 3). The keys are missing one character at the end but are pretty easy to find.
Although the lottery’s times are unpredictable, it seems to serve as an advertising gimmick that draws enough attention.
The Erbium stealer’s control panel is maintained on a domain that is shared between all subscribers as Malware-as-a-Service malware (Figure 4).
The panel provides management capabilities and access to the logs gathered by the samples. In addition, the panel is used for building the samples.
When observing the C2 and panel infrastructure we have seen overlapping instances with more mature and popular stealers such as Arkei, DCRat, Raccoon, and FormBook, which suggests that Erbium developers are not new to the game.
Given that the Erbium group, like many other info stealer groups, does not provide a delivery method, threat actors looking to use this stealer need to come up with creative ideas and techniques regarding delivery methods, targeted communities, delivery tools, etc.
One of Erbium’s main campaigns currently uses the notorious SmokeLoader as a delivery tool.
Victimology and Targeted Communities
Given the extended and unusual support on crypto wallets, both web, and client-based, it is obvious that the community most targeted by this stealer is cryptocurrency.
The cryptocurrency community is most active on Twitter and Discord, two platforms that are known for being an easy playground for social engineering techniques by threat actors.
Another community largely targeted by this malware is gaming, which sometimes overlaps with the cryptocurrency community.
One campaign we found targeted the gaming community and spread SmokeLoader masquerading as crack files that actually deliver and execute the Erbium stealer.
Upon execution, the SmokeLoader writes two execution files in the %TEMP% directory – Update crack.exe and Zelda.exe (Figure 5).
Each file fulfills different parts of the execution and delivery process.
The Zelda.exe file is responsible for performing anti-debugging and anti-VM checks along with disabling AV protections (Figure 6).
The second and more interesting executable, Update crack.exe, is responsible for downloading and executing the actual Erbium sample – a DLL file (Figure 7).
The download request is done via a GET request to the dropzone domain, requesting a PHP file while the response contains an executable DLL file.
The first communication with the C2 is an authentication request to the /cloud/ path of the C2 (Figure 8).
Shortly after, instructions and configuration information should be provided. The stealer requests instructions and configuration from the C2 using a GET requesting a PHP file, and receiving a JSON including encoded and encrypted instructions.
As mentioned, once the Erbium sample is executed, it will mostly look for crypto wallet assets including almost every wallet out there, while most stealers will “settle for” a Metamask wallet alone.
In addition, the stealer will look for Discord and Telegram clients within the victim’s machine.
Other important assets are browser information such as cookies and passwords, as well as password managers such as Trezor, Authenticator, GAuth and more.
Gaming platforms are also a target for this stealer, including Steam and BattleNet.
- Employee security awareness training remains an important step in helping them identify and suspect unsolicited emails and phishing campaigns, especially messages with embedded links or file attachments.
- Using “cold wallets” is essential for securing cases where a victim has been compromised by a crypto wallet stealer.
- Multi-factor authentication should be implemented wherever possible to limit the effectiveness of stolen credentials.
- Employees should be reminded of the risks associated with credential reuse and weak passwords supported by password policies to encourage best practices.
- Limit user permissions according to the principle of least privilege (POLP).
- Ensure that email security controls are applied to limit the delivery of potentially malicious attachments or links to end-users, and implement protocols and security controls such as DKIM, DMARC and SPF.
- Continuous monitoring of unusual endpoint behaviors such as excessive requests to specific webhosts using unusual URL requests for DLL files, can provide an early indication of compromise.
Files – SHA256