Baldr Credential-Stealing Malware Targets GamersCybercriminals Look to Steal IDs and Payment Information
Baldr, a grab-and-go credential stealer first spotted in January in various Russian underground forums, is now spreading to other spots around the world, targeting the global gaming industry to steal identities and payment data from victims, according to an analysis by Sophos Labs.
Over the last eight months, the malware has been distributed by YouTube videos that claim to offer cheat tools for popular games such as “Counter-Strike: Go” and “Apex Legends,” according to Sophos. When a victim clicks on the malicious link, Baldr is able to grab not only credentials and passwords, but other information, including banking, payment and credit card data as well as bitcoin wallets, VPN credentials and instant messages, researchers found.
The malware is also capable of taking information stored in a browser's cache. This includes popular browsers, such as Google Chrome, Mozilla Firefox and Microsoft Edge, as well as lesser known ones such as the Yandex Browser and Pale Moon, according to Sophos.
Sophos researchers first saw the malware having its greatest effect in Indonesia but then it spread to the U.S., Singapore, Brazil, India and Germany.
After first appearing in various underground forums earlier this year, the creators of Baldr began an aggressive marketing campaign for the malware, leasing it out to some 200 other cybercriminals over the course of the last eight months, Albert Zsigovits, a threat researcher at Sophos, writes in a blog about the research.
The Sophos analysis shows that despite its rapid spread, Baldr remains relatively simple but effective. For instance, once it scours an infected computer and exfiltrates the credential and data it's looking for, the malware simply quits. It also has no way to maintain persistence in a network and cannot be spread peer-to-peer, Zsigovits notes.
"It's not feature rich, but what it does, it does quickly, and the criminal underground snapped it up," Zsigovits adds.
Baldr steals information quickly and efficiently, he says. Once it finds its way inside the infected system files, the malware compresses the data into a file, encrypts it and sends it off to a cybercriminal's command-and-control server, Zsigovits notes. It does this through an HTTP post - a common request method for data - that connects the malware to the command-and-control in order for the two to communicate, according to Sophos.
Baldr also takes a screenshot of the infected machine before it stops working, Sophos finds.
While the Sophos analysis found that Baldr has gone through several updates since it was first spotted by researchers from Malwarebytes and other firms, the new analysis found that within the command-and-control server, the creators have begun to include simple persistence mechanisms.
For instance, the malware can copy itself into the startup folder and run again on the next reboot of the infected machine. This can allow Baldr to serve as a way for cybercriminals to deliver other malicious payloads, according to Sophos.
In addition, the Sophos analysis found that the command-and-control servers are typically protected by using bulletproof hosting services, which place software on multiple physical machines located at different IP addresses to help better hide its purposes.
The Sophos analysis also found that in addition to some innovations, the creators of Baldr and their cybercriminal clients have made a number of mistakes that have given researchers some insight into how the malware developed.
For instance, because the command-and-control server is not hosted in the cloud, cybercriminals using Baldr for their own purposes need to lease the software from the creators. It turns out, however, that the Sophos team found that many of the would-be hackers misconfigured the server, allowing researchers to gain insight into how the command-and-control works as well as domain names.
The Sophos team also found that the Baldr creators heavily borrowed code from other malware. For example, it appears the authors gave Baldr the ability to steal data from applications such as "FileZilla" and "Telegram," but the code this function is taken from an information stealer called GrandStealer.
"Baldr is a Frankenstein’s monster of code bits from other malware," Zsigovits notes
Already Too Late?
The Sophos report may have been issued too late to have a big impact. It appears that the creators of Baldr have suspended any sales or leases of the malware, although the command-and-control software still works for those who purchased a license, Sophos reports.
On May 31, Baldr's distributor announced on Telegram and dark net forums that support for the malware is complete and that there would be no more updates, according to Sophos.
“However, Baldr's main distributor points new customers to another stealer called Krypton and names it as a successor to follow in Baldr's footsteps," according to the report.