Cybersecurity has always been a huge concern, especially in the current digital era, and now another threat to cybersecurity has emerged in the form of ‘Erbium’ malware. While it is spreading at a rapid pace, it is also stealing sensible individual information such as passwords, credit card details and cryptocurrency wallets. The malware has been classified as a data and information-stealing tool.
The advent of this malware is not good news for gamers as it is getting spread through pirated games and game titles’ cheats. It is basically a Malware-as-a-service (MaaS), or to say it in layman’s terms, subscription malware. What is even scarier is that its monthly price has shot up from USD 9 to USD 100. Its yearly subscription fees currently stand at USD 1,000. Its subscribers get services such as frequent updates, customer support and other tools.
A cyber-intelligence company named Cyfirma had identified the malware, after probing some of the gaming cheat codes.
More details emerge
It was the cybersecurity firm Cluster25 who spilled details about the malware. When Cyfirma stepped in to probe the matter further, they found out that Erbium has been advertised on hacker forums with Russia links, another disturbing development that comes amid the ongoing Ukraine war and the sanctions war between Moscow and the West. The Cluster25 study also said that Erbium has spread to the USA, France, Spain, Italy, Vietnam, Malaysia, Colombia and India. As of now, experts say that the malware is found only in cheat game codes, but if not controlled, may spread all over the internet through various distribution channels.
Erbium’s mode of operations
The malware targets user data stored in Google Chrome, Microsoft Edge and Mozilla Firefox and steals sensitive user data such as passwords and banking details. What sounds even more dangerous for the booming cryptocurrency market is that the malware is also targeting the digital currency wallets installed as browser extensions. As per Cyfirma, the malware is also avoiding detection from the existing internet firewalls and other cybersecurity mechanisms. Desktop wallets (computer programs entrusted to store and manage users’ private keys of crypto accounts) like Exodus, Ethereum, Litecoin-Core, Monero-Core, and Bytecoin have felt the Erbium onslaught as well, while two-factor authentication codes from apps like Trezor Password Manager, Authenticator 2FA and Authy 2FA are getting stolen as well.
It has other dangerous abilities such as taking screenshots from PC and laptop monitors, stealing Telegram authentication files, Steam and Discord tokens. And after the theft, all of them get passed onto the darknet with the help of an in-built API system (Application Programming Interface).
Till now, RedLine stealer used to be the default option for the darknet operators to indulge in data theft, but with Erbium emerging as a cheaper alternative and with features such as a dashboard containing sensitive data stolen from affected computers, the domain of cyber security is facing a new challenge altogether.
Erbium is using three URLs for its operations, including the tried and tested Content Delivery Network (CDN).
What are the malware’s key abilities?
Cyfirma has listed some of them below:
It’s ability to enumerate paths, files, and folders, along with the capability to load other libraries in their memories.
It can access system information of the user’s computer, before attacking it. The malware has network communication ability as well.
Apart from scanning and stealing data from the user computer’s installed applications, information from various installed applications.
It can also obtain cryptocurrency wallet (web browser extensions) information of the investors, apart from snatching authentication data (2FA) and password-managing software. These targeted cryptocurrency wallets are Exodus, Bitecoin-Core, Atomic, Armory, Bytecoin, Dash-Core, Electrum, Coinomi, Ethereum, Litecoin-Core, Electron, Monero-Core, Jaxx, and Zcash.
The phenomenon called Erbium
Cyfirma, while preparing its threat assessment report on Erbium, cited a cyber threat actor with Russian links, who advertised the malware on a dark wave forum. He claimed he spent a considerable time developing the malware.
The firm said in its study, “Recently CYFIRMA’s research team detected a new sample of Erbium stealer in the wild. We observed one of the recent gaming campaigns where the threat actors lure gamers/players who want to acquire an unfair or prohibited edge over other players with the malicious binary posted on MediaFire (a free service for file hosting). Threat actors are spreading this malware using drive-by-download techniques and pretending as cracked software/game hacks.”
It also found out that these threat actors were offering the gamers malicious binaries in the form of software (sort of cheat codes) that give the latter edge over their rivals. Its initial price range was between USD 9 to USD 150, with subscription plans ranging from one week to one year. In 2022, the subscription price has shot up to USD 1000, because cheat codes matter a lot in online gaming.
Cluster25 cited a Telegram bot as the medium of administering the malware into the user computers. It said, “Cybercrime is constantly evolving within an underground market where it is not uncommon to come across new proposals for the purchase of MaaS solutions. In Cluster25’s opinion, Erbium could become one of the most used info stealers by cybercriminals due to its wide range of capabilities and due to the growing demand for MaaS.”
What are the remedies?
Gamers need to steer clear from downloading crack files or softwares which comes with luring promises of ‘cheat codes’. Have good anti-virus mechanisms in your PCs, laptops and keep on updating the devices with the latest security solutions.
Don’t download pirated software and scan all downloaded files on an audio-visual tool. You can also let the anti-virus entities scan your computer from time to time.
The malware needs to be included on the cyber-security threat list and advertisements need to be put up online on ‘Erbium’, cautioning the users.
As we talk about the ‘Erbium’, let us revisit some of the previous malware attacks that have been as notorious as ‘Erbium’.
Creeper virus
Legendary computer scientist and mathematician John von Neuman came up with the idea of a code being able to reproduce and spread itself. His work was published in 1966 and five years later came Creeper Virus, written in PDP-10 assembly language and exactly mimicking the same behavior as predicted by Neuman. ARPANET (Advanced Research Projects Agency Network), considered the predecessor of the modern-day internet, became the medium through which the virus spread. Although it didn’t harm the systems it affected, the connected teletype machines (electromechanical devices used to send and receive typed messages through various communications channels.) used to flash the message, ‘I’M THE CREEPER: CATCH ME IF YOU CAN.’ Another computer science pioneer Ray Tomlinson sorted the issue out by writing a rival program.
Brain virus
In 1986 ‘Brain Virus’ hit the headlines for all the wrong reasons. It was the generation of Personal Computers and floppy disks, completely opposite of those inter-connected teletype machines. BRAIN was developed by Pakistan-based Alvi brothers (Amjad and Basit Farooq), who were trying to create a virus that would target pirated medical software. They also put a clause attached to the whole program, which would enable the customers to reach out to the Alvi brothers for ‘disinfecting’ the particular software whose disk boot sector got attacked by the ‘Brain’.
Eventually, the brain virus goes categorised as the first IBM PC virus and like Creeper, was harmless in nature.
Morris worm
In 1988, malware named Morris worm became the first widespread computer worm, with a reproduction ability sans the help of another program. Not only did it spread like a wildfire, but caused monetary damages as well. The virus, named after New York-based Cornell University student Robert Morris, infected 10% of internet-connected computers within 24 hours of its release and forced many of those systems to halt by creating copies of itself.
Although Robert Morris introduced the virus as more of a concept study to identify internet security flaws, he became the first person convicted under the 1986 Computer Fraud and Abuse Act.
ILOVEYOU
Unlike Morris, 24-year-old Philippines resident Onel de Guzman launched ‘ILOVEYOU’ malware with criminal intentions in 2000. His motive was simple, stealing other customers’ passwords and using their Dialup Internet accounts. Onel de Guzman developed it using Windows 95 and the malware used the operating system’s flaws to a good extent.
Millions of infected computers ended up sending out copies of the malware and passwords back to Onel de Guzman’s email ID, apart from erasing files of the targeted computers. Not only the whole phenomenon caused huge financial damage but also shut down the UK Parliament’s computer system. The malware used to get spread with an email having an ‘I Love You’ subject line.
Mydoom
Four years after ‘I Love You’, came ‘Mydoom’ in 2004. This malware attack chose email as its medium to infect computers. Its working procedure was very simple, attack the computers via email, take control of the system and send multiple copies of the virus. During its peak, the malware created USD 35 billion in financial damages, back in the early 2000s. Unlike Morris and Guzman, Mydoom’s creator remains anonymous to date, and neither that person’s motive has been known. The virus also used the infected computers to attack the SCO Group, a firm that went after Linux’s IP (Intellectual Property) Rights. Microsoft too came under this malware attack.
Zeus Trojan
This malware came in 2007 and if reports are to be believed, still infects computers and websites with routes such as phishing and drive-by downloads. Trojan virus, whose coding and operating manual got revealed in 2011, is a common tool used by darknet threat actors. Another variant of this virus came out in 2014, whose favorite target is the banking sector as it can easily steal details such as passwords.
CryptoLocker
This ransomware is also connected with Zeus as it uses the Trojan virus to create botnets while taking the help of the infected computers. One of the botnets (Internet-connected devices used to perform data theft, sending spam links to the infected computer, and giving the cyber hacker the infected device access) called Gameover Zeus, used an early version of ransomware ware named CryptoLocker, encrypting the infected computer’s files, stealing sensitive data and then forcing the affected user to pay in digital currency to get back his/her computer and data access. CryptoLocker not only had a faster spreading rate but a formidable encryption code that was difficult to crack. Although law enforcement agencies managed to stop its spread back in 2014, variants of it are still around.
Emotet Trojan
Another variant of the Trojan malware is Emotet. It belongs to the category of Polymorphic malware (malware with the ability to change its codings, mutate while keeping the original algorithm intact and evade established cybersecurity mechanisms). It also spreads through phishing and ‘email attachments’. It has also emerged as a medium to deliver peers such as Trickster and Ryuk.
Mirai Botnet
The botnet discussed here targets the Internet of Things (Entities with sensors, Higher computing ability, better software than conventional PCs, and laptops with the ability to connect and exchange data with other similar devices.) Its primary targets were CCTV cameras and home routers which didn’t have secure passwords.
Paras Jha, a college student in the US, was the main brain behind the botnet. His initial plan was to attack the Minecraft server hosting but ended up shutting down internet services on the US east coast. He also took part in illegal activities such as creating click fraud botnets and infecting over 100,000 computing devices, such as home internet routers, with malicious software.
He had two other associates, namely Josiah White and Dalton Norman. Paras Jha also launched cyber-attacks on New Jersey-based Rutgers University, shutting its central authentication server down. In 2018, Paras Jha was ordered to pay a compensation of USD 8.6 million, along with a six-month house arrest for his actions.
NotPetya Wiper
This one rose to prominence in 2016, with the ability to lock down affected computers’ data, encrypting their master file table. Its medium of attack was the phishing route.
It was part of a Ukrainian accounting software package and kept Europe on its toes. It also used to display random addresses to its victims for sending ransoms.
As per the cybersecurity experts, there was an alleged involvement from the Russian intelligence to reprogram it as ‘NotPetya’ malware and use it against Ukraine post-Crimea fallout.
Clop
While we are discussing the Erbium malware, there is another one named Clop or Cl0p, which is another ransomware variant that has been termed one of the principal cybersecurity threats of 2022. The victims can’t access their computer data, but the threat actor can. It’s a part of a trend called ‘Ransomware as a service’. Here, professional hackers work for money or even in exchange for a share of the ransomware amount.
Given Erbium’s ability to evade state-of-the-art cybersecurity mechanisms, gamers and crypto investors need to practice the best practice as of now, awareness. Avoid downloading pirated software and keep on updating your systems from time to time.