Gamers have found themselves in the crosshairs of criminals for as long as it has been possible to monetize the theft of game credentials. Since the beginning of 2019, SophosLabs has been tracking the activity of a malware family we’re calling Baldr that, initially at least, targeted gamers through the use of misleading online videos.
These videos present the malware as a tool to gain an unfair advantage in a number of different online games, but the real purpose of Baldr is to enable both the purchasers and its creator to engage in identity theft.
We first observed the Trojan being advertised for sale on Russian cybercrime-related forums at the end of January, 2019. By the following month, we saw its distribution begin to increase, along with the price the malware authors were charging to criminals. As its distribution increases, so do the variety of methods that Baldr customers use to infect customers, including the use of maliciously crafted .ace archives and Office documents, which are either hosted for download or emailed to victims.
Baldr can quickly seize a wide range of information from its victims, including saved passwords, cached data, configuration files, cookies and other files, from a wide variety of applications including:
- 22 different web browsers
- 14 different cryptocurrency wallets
- VPN client applications
- File transfer tools
- Instant messaging and chat clients
- Game clients and gaming services, such as Steam, Epic and Sony
- Gaming-adjacent services such as Twitch or Discord
We consider Baldr an up-and-coming password stealer as we’ve observed its evolution through at least four major revisions over the past seven months. In that time, the malware’s creator has added a raft of new features that put it in direct competition from better-known families. There has also been a bit of drama in the criminal underground, where the main developer and the principal distributor seem to have had a (somewhat public) falling out, with the distributor dropping Baldr as a product for sale. But the malware has not ceased functioning, and we expect it to re-emerge, possibly with a new name.
The paper (link below) discusses some of the unique characteristics of Baldr’s killchain (implemented not by the malware’s creator but by its criminal customer base) and its apparent relationship to other malware families, some of which Baldr itself delivers to victim machines as a malware distribution network.
The full report can be downloaded here.