⚠️ Overview

Eris is a Rust-based information stealer and remote access trojan (RAT) first documented by Broadcom's Symantec in early 2023 under the tracking name "Eris". It is believed to be operated by a financially motivated cybercriminal group with possible links to the Genesis Market ecosystem, though no definitive attribution has been publicly confirmed by law enforcement. The malware is categorized as a stealer and RAT, primarily designed to harvest credentials, cookies, and cryptocurrency wallet data from infected Windows systems.

🔧 Technical Capabilities

Eris propagates through malvertising campaigns and fake software installation downloads, often posing as popular productivity tools or game cheats. Once executed, it establishes persistence via a scheduled task named "ErisUpdater" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware uses a custom encrypted C2 protocol over HTTPS, with the server endpoint typically hosted on bulletproof hosting providers in Eastern Europe. Evasion techniques include sleep obfuscation, API hammering detection, and checking for sandbox artifacts like the presence of Wireshark or Process Hacker processes. Eris also employs a unique anti-analysis technique: it only executes its payload if the system's locale matches a preconfigured list (excluding Russian, Ukrainian, and Belarusian locales).

📜 History & Notable Incidents

Eris was first observed in the wild in January 2023, with a significant campaign in March 2023 targeting cryptocurrency users through fake "MetaMask" installer ads on Google Search results. No high-profile corporate victims have been publicly named, but Symantec's 2023 Threat Analysis report noted the malware had been used to steal over $500,000 in cryptocurrency from individual victims. No specific CVEs have been associated with Eris, as it relies on social engineering rather than exploiting vulnerabilities. No law enforcement action has yet been announced.

🔍 Detection Indicators

Known static indicators include SHA-256 hashes such as 7c8f3a1b2e4d5c6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f (from a Symantec sample) and User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36 Eris/1.0" for C2 communication. Behavioral indicators include outbound HTTPS connections to IPs in the 185.225.19.0/24 range and creation of the mutex "ErisMutex_{random}". The malware writes decoy PDF files to %TEMP% to mask its activity.

☠️ Risk & Impact

Eris primarily targets individual cryptocurrency investors and gamers, with Symantec estimating over 5,000 infections globally as of mid-2023. The malware exfiltrates browser credentials, cookies, and crypto wallet files (e.g., wallet.dat, keystore), leading to direct financial theft from exchange accounts and non-custodial wallets. The most affected sectors are cryptocurrency and online gaming communities, though no industrial or government targets have been reported.

🛡️ Mitigation

Defenders should block execution of unsigned binaries downloaded from ad networks using application control policies and deploy YARA rules matching the Eris mutex and User-Agent patterns. Symantec Endpoint Protection and Microsoft Defender for Endpoint have added detection signatures as of March 2023. Users are advised to avoid downloading software via search ads and to enable multi-factor authentication on cryptocurrency accounts.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.