Digital security firm Sophos has issued a warning about a sophisticated piece of malware, dubbed Baldr, that since early this year has been distributed via purported cheats for games including Fortnite, Apex Legends, and CS:GO. The software is "an up-and-coming password stealer" that's progressed through at least four major revisions, that enables users to steal credit card numbers, login credentials for gaming sites and other online platforms, and other personal information—at least some of which is being sold on dark web forums.
Sophos said in its technical analysis of Baldr that it first encountered the malware as it spread through "online gaming circles," spurred by YouTube videos promoting cheats for popular games. "These videos were used to advertise tools that purport to give online game players one or more abilities to cheat in games such as Counter-Strike: Go or Apex Legends. The video details often contained a link that a viewer could use to download the tool. We also saw download links distributed in gaming-specific channels on both the Discord and Telegram chat services," the analysis explains.
"In addition to these distribution methods, we found instances where we found Baldr malware included with pirated versions of games offered for illicit download, as well as bundled along with maliciously modified installers of otherwise legitimate cryptocurrency miner software."
Sophos cyber research chief Chester Wisniewski described the malware as "hit and run," telling The Telegraph that once it fires up, "it instantly steals everything on the comp, bundles it up, and sends it to the crooks." He also offered a little insight into why Baldr gained its initial traction through online games.
"Teenagers are easily convinced to cheat with their friends and are much less likely to understand that these things might be malicious and cause problems on their computers than an adult might," he said. "They will click anything."
The origin of the malware isn't known, but the bulk of Baldr infections so far have been found in Indonesia (including Singapore), Brazil, and Russia; the US accounts for roughly 10.5 percent of infections. There's also an option to ensure that it doesn't attack targets within Russia, which could be telling: As The Telegraph noted, it's a criminal offense in Russia to hack domestic targets.
Whatever its origins, it sounds as though Baldr is moving in wider circles now. The Sophos technical report says it "initially" targeted gamers through cheats and pirated copies of game, "but as the malware's customer base grew, so did the variety of methods we saw to send the malware to victims."
That includes a security vulnerability in WinRAR that was discovered in February, and an oddly niche flaw in older versions of Microsoft Office, which seemed to baffle researchers: "Why criminals chose to use this particular vulnerability to distribute malware more than a year after the patch was released remains a mystery, as subsequent updates to Microsoft Office have essentially removed the vulnerable Equation Editor component from Office, altogether," the analysis says.
Sophos also told The Telegraph that Baldr's primary goal was likely to access gaming accounts in order to steal and sell in-game currency. But it has since seen "Netflix paswords, social media logins, and even airmiles accounts" being offered for sale on the dark web.
It's possible that further development of the malware may have halted, at least temporarily: Sophos said the main developer and principal distributor "seem to have had a (somewhat public) falling out," and it's no longer being offered for sale. But it also predicted that it could come back, possibly under a new name.