# New Erbium password-stealing malware spreads as game cracks, cheats **[bleepingcomputer.com/news/security/new-erbium-password-stealing-malware-spreads-as-game-cracks-cheats/](https://www.bleepingcomputer.com/news/security/new-erbium-password-stealing-malware-spreads-as-game-cracks-cheats/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) September 26, 2022 03:54 PM 0 ----- The new 'Erbium' information-stealing malware is being distributed as fake cracks and cheats for popular video games to steal victims' credentials and cryptocurrency wallets. Erbium is a new Malware-as-a-Service (MaaS) that provides subscribers with a new information-stealing malware that is gaining popularity in the cybercrime community thanks to its extensive functionality, customer support, and competitive pricing. [Researchers at Cluster25's team were the first to report on Erbium earlier this month, but a](https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer) new report by [Cyfirma shares further information on how the password-stealing trojan is](https://www.cyfirma.com/outofband/erbium-stealer-malware-report/) distributed. ## New Malware-as-a-Service operation Erbium has been promoted on Russian-speaking forums since July 2022, but its actual deployment in the wild has been uncertain thus far. Erbium initially cost $9 per week, but since its popularity rose in late August, the price went up to $100 per month or $1000 for a full-year license. Compared to the "defacto" choice in the field, RedLine stealer, Erbium's cost is roughly onethird, so it's aiming to disrupt the market for malware commonly used by threat actors. Like other information-stealing malware, Erbium will steal data stored in web browsers (Chromium or Gecko-based), such as passwords, cookies, credit cards, and autofill information. ----- The malware also attempts to exfiltrate data from a large set of cryptocurrency wallets installed on web browsers as extensions. **Targeted hot cryptocurrency wallets** _(Cyfirma)_ Cold desktop wallets like Exodus, Atomic, Armory, Bitecoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash, and Jaxx are also stolen. Erbium also steals two-factor authentication codes from Trezor Password Manager, EOS Authenticator, Authy 2FA, and Authenticator 2FA. The malware can grab screenshots from all monitors, snatch Steam and Discord tokens, steal Telegram auth files, and profile the host based on the OS and hardware. All data is exfiltrated to the C2 via a built-in API system, while the operators get an overview of what has been stolen from each infected host on a Erbium dashboard, shown below. ----- **Erbium's dashboard** _(Cyfirma)_ The malware uses three URLs for connecting to the panel, including Discord's Content Delivery Network (CDN), a platform that malware operators have heavily abused. While Erbium is still a work in progress, users on hacker forums have praised the author's efforts and willingness to listen to client requests. Cluster25 reported signs of Erbium infections worldwide, including in the USA, France, Colombia, Spain, Italy, India, Vietnam, and Malaysia. **Erbium distribution map** _(Cluster25)_ ----- While the first Erbium campaign uses game cracks as lures, the distribution channels could diversify significantly anytime, as buyers of the malware may choose to push it via different methods. To keep the threat out of your system, avoid downloading pirated software, scan all downloaded files on an AV tool, and keep your software up to date by installing the latest available security patches. ### Related Articles: [Malicious PyPi packages turn Discord into password-stealing malware](https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-turn-discord-into-password-stealing-malware/) [Amadey malware pushed via software cracks in SmokeLoader campaign](https://www.bleepingcomputer.com/news/security/amadey-malware-pushed-via-software-cracks-in-smokeloader-campaign/) [Dev backdoors own malware to steal data from other hackers](https://www.bleepingcomputer.com/news/security/dev-backdoors-own-malware-to-steal-data-from-other-hackers/) [Pirated 3DMark benchmark tool delivering info-stealer malware](https://www.bleepingcomputer.com/news/security/pirated-3dmark-benchmark-tool-delivering-info-stealer-malware/) [2K Games says hacked help desk targeted players with malware](https://www.bleepingcomputer.com/news/security/2k-games-says-hacked-help-desk-targeted-players-with-malware/) [Cracks](https://www.bleepingcomputer.com/tag/cracks/) [Erbium](https://www.bleepingcomputer.com/tag/erbium/) [Info Stealer](https://www.bleepingcomputer.com/tag/info-stealer/) [Information Stealer](https://www.bleepingcomputer.com/tag/information-stealer/) [Malware](https://www.bleepingcomputer.com/tag/malware/) [Password Stealing Trojan](https://www.bleepingcomputer.com/tag/password-stealing-trojan/) [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. [Previous Article](https://www.bleepingcomputer.com/news/security/hackers-use-powerpoint-files-for-mouseover-malware-delivery/) [Next Article](https://www.bleepingcomputer.com/offer/deals/dive-into-more-than-100-hours-of-python-training-for-40/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----