Threat Research

Erbium Stealer Malware Report – CYFIRMA

Securonix

Erbium Stealer is an information-stealing malware distributed as MaaS, observed by CYFIRMA in Aug-2022 and advertised on Russian-speaking forums. It decrypts obfuscated code, drops a DLL in %temp%, loads it via LoadLibraryA, and communicates with a C2 panel and Discord CDN; it targets browsers and wallet data and is sold with support on underground markets. #ErbiumStealer #CYFIRMA

Keypoints

  • Erbium Stealer is an information-stealer/ MaaS-based malware observed in Aug-2022 and marketed on underground forums.
  • It uses XOR-based decryption, drops a DLL in the temp folder, and loads it into the current process with LoadLibraryA.
  • The malware establishes network/C2 communication, including connections to Discord’s CDN and a dedicated panel URL.
  • It enumerates drives and files, gathers system information, and harvests data from browsers, wallets, and 2FA/MFA/password managers.
  • Targeted browsers include Cyberfox, Firefox, K-Meleon, BlackHawk, Pale Moon, Google Chrome, and Thunderbird.
  • Information harvested is exfiltrated to a C2/panel and can download additional payloads from the C2 server.
  • CYFIRMA documents sample hashes, IOCs, and a MITRE ATT&CK mapping for this malware family.

MITRE Techniques

  • [T1106] Native API – The malware loads the dropped DLL into the process by calling LoadLibraryA API. Quote: “…loads that dropped file in the current process by calling LoadLibraryA API.”
  • [T1027] Obfuscated Files or Information – It decrypts obfuscated content using XOR logic to hide code and payloads. Quote: “…decrypting the obfuscated contents by using XORing logic…”
  • [T1539] Steal Web Session Cookie – Collects credentials from chat apps and browsers. Quote: “…Collecting user credentials, such as passwords, from a range of popular chat and email programs, as well as web browsers.”
  • [T1552.001] Unsecured Credentials: Credentials In Files – Collects data from authentication-related tools, including 2FA/MFA and password managers. Quote: “…collect data of Authentication (2FA) and password-managing software.”
  • [T1057] Process Discovery – Discovery includes identifying running processes. Quote: “…Process Discovery” (from the MITRE mapping in the article).
  • [T1082] System Information Discovery – Collects system information. Quote: “…System Information Discovery” (from the MITRE mapping in the article).
  • [T1005] Data from Local System – Enumerates drives and files/folders to collect local data. Quote: “Enumeration of drives” and “enumerate paths, files, and folders.”
  • [T1573] Encrypted Channel – Uses an encrypted channel for C2 communications. Quote: “…Encrypted Channel” (as listed in the article’s MITRE mapping) and references to network communication with C2/CDN.

Indicators of Compromise

  • [MD5] sample – 1EF9C948E6045D8D8794A89CC9545B0F
  • [MD5] Erbium stealer DLL – 6BC81580D318DC8EBF48B3555DD4C9D7
  • [Strings] User-agent – Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a
  • [IP address] Erbium stealer control panel – Panel[.]erbium[.]ml
  • [Strings] File strings – LrtmqR1muOHUwcTB

Read more: https://www.cyfirma.com/outofband/erbium-stealer-malware-report/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint