On the 21^st of July 2022 on a DWW (Deep/Dark Web) forum, a Russian speaking threat actor created an announcement about the sale of a new infostealer named Erbium. The author stated that its malware is the best on the market, giving to the user unique features and that its development took several months of work.

Erbium InfoStealer Logo

In the beginning the malware was sold at a price ranging between 9 to 150 dollars depending on the user plan, going from one week to one year of license. The prices from July to August were significantly increased, going for a minimum of 100 dollars for one month of usage to a thousand of dollars for a year of the service, including the access to a control panel Cluster25 had the opportunity to observe and analyze. Interesting to note that after having a site, now the service is all administered through a Telegram bot, that works as a marketplace and also as a control for the data stolen, that can be redirected to a Telegram account other than the personal control panel. The bot was set up on early September 2022.

Erbium Telegram Bot

INSIGHTS

Cluster25 managed to obtain a variant of this threat and analyzed its characteristics and operational logic as well as carrying out an initial telemetry assessment of the current spreading degree of this malware family. In the analyzed sample, the first stage of the infection consists in a 32-bit PE executable with a highly obfuscated code. Moreover, the sample use polymorphic techniques to change its identifiable features in order to evade detection. During this phase, the malware reconstructs the string C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe which is the path of the legit Microsoft Application Microsoft .NET ClickOnce Launch Utility.

The string is used to create a new process dynamically calling the API CreateProcessW and passing the path of the AppLaunch.exe executable as one of its arguments. The code invoked during this and the following operations resides in the .data section and it is not present on the original binary, signs that the executable is able to modify its sections during the execution, as evidence reported below.

Then, the malware allocates memory in the new process calling the API VirtualAllocEx and passes the handle of the process as first argument. The argument lpaddress, which defines the desired starting address for the region of pages to allocate, is set to the value 0x400000, the image base address. After this point, the API WriteProcessMemory is used to write the memory in the allocated region of the new process, while the VirtualProtectEx is used to change the permissions to the memory in order to let it executable. Finally, the malware calls the APIs SetThreadContext and ResumeThread to start the execution on the injected process. The second stage tries to perform an HTTP connection to the Command-and-Control (C&C) domain. For the specific sample, the domain used is www[.]f0679086[.]xsph[.]ru, however, the analysis of different samples allowed to detect also the domains mamamiya137[.]ru. The following is the HTTP request used by the malware to communicate with the C&C server:

The connection is used to download a DLL from the C&C, that is later loaded and executed in the memory of the same process (AppLaunch.exe). The 32-bit PE DLL is the last stage of the infection, which acts as the stealer itself. The stealer can grab the following information on the victim systems:

• Desktop screenshot from all monitors.
• PC information (CPU, GPU, DISK, RAM, number of monitors, monitor resolutions, monitor resolutions, MAC, Windows version, Windows owner, PC name, PC architecture, Windows license key)
• Passwords, cookies, history, maps, autofill from most popular browsers based on Gecko and Chromium
• Cold wallets from browsers (MetaMask, TronLink, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaxx Liberty, BitApp Wallet, iWallet, Wombat, MEW CX, GuildWallet, Saturn Wallet, Ronin Wallet, NeoLine, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox, Cyano Wallet, Byone, OneKey, LeafWallet, DAppPlay, BitClip, Steem Keychain, Nash Extension , Hycon Lite Client, ZilPay, Coin98 Wallet, Harmony, KardiaChain, Rabby, Phantom, TON Crystal Wallet)
• Other browser plugins (Authenticator, Authy, Trezor Password Manager, GAuth Authenticator, EOS Authenticator)
• Steam (list of accounts and authorization files)
• Discord (tokens)
• FTP clients (FileZilla, Total Commander)
• Telegram (authorization files)
• Cold desktop wallets (Exodus, Atomic, Armory, Bitecoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash, Jaxx)

Also, the stealer can obtain the geolocalization of the victim system.

ATTACKER’S CONTROL PANEL

Cluster25 was able to acquired a very good amount of information about this threat including details about the control panel available on the attacker’s side.

Erbium Attacker’s Control Panel

The panel includes different tabs that groups the stolen information together according to their category.

Also, the panel contains a feature to send the stolen information directly to a Telegram Account.

ERBIUM IN THE WORLD

CONCLUSIONS

Cyber-crime is constantly evolving within an underground market where it is not uncommon to come across new proposals for the purchase of MaaS solutions. In Cluster25’s opinion Erbium could become one of the most used infostealers by cyber criminals due to its wide range of capabilities and due to the growing demand for MaaS.

ATT&CK MATRIX

INDICATORS OF COMPROMISE

DETECTION AND THREAT HUNTING

alert tcp any any ->  any $HTTP_PORTS (
msg: "Cluster25 - Trojan/Erbium CnC Communication"; 
flow:established,to_server; 
content:"GET"; 
nocase; http_method; content:"/api.php"; 
content:"method=getstub"; 
content:"tag="; 
http_uri; 
sid:100004;
rev:1;
)