Security researchers are warning of a new information stealer named Erbium being distributed under the Malware-as-a-Service (MaaS) model.
The threat made its initial appearance in late July, when a Russian speaking threat actor started advertising it on a dark web forum.
Initially, the developer was offering Erbium for up to $150 for a one-year license, but they are now requesting a minimum of $100 for a month of usage and thousands of dollars for the year-long license.
The malware author administers the service via a Telegram bot that also functions as a marketplace and as a control for the stolen data, cybersecurity solutions provider DuskRise explains.
The malware is being spread via drive-by-downloads, posing as cracked software/game hacks distributed through a free file hosting service, spear-phishing, malvertising, exploit kits, and malware loaders, cybersecurity company Cyfirma notes.
After being deployed on a victim’s machine, Erbium connects to Discord’s content delivery network (CDN) servers, and then starts collecting data, including system information, geolocation, information from a wide range of applications, and user files.
The threat targets browser data such as logins, cookies, history, and cold wallet information, data from browser plugins, and information from Steam, Discord, FTP clients, Telegram, and desktop cold wallets. The malware can also take screenshots.
According to DuskRise, the threat has been used in numerous attacks against targets located in the US, Colombia, France, India, Italy, Malaysia, Lebanon, Portugal, Romania, Spain, Turkey, and Vietnam.
The harvested user data is then offered for sale on various cybercriminal marketplaces and it can then be used to mount new attacks against victims, the security firms warn.