SophosLabs has warned that malware family Baldr is targeting gamers though the use of malware infected online videos. The videos appeal to lazy gamers who are looking for ways to cheat games such as Counter-Strike: Go and Apex Legends. Victims were directed to a link that downloaded the malware into their machines. In addition to spreading the malware through gaming channels the distributors also included it in pirated versions of games and through other modified software. This is a fairly common risk for anyone downloading illegal copies of software.
SophosLabs believes the primary function of Baldr is to act as a credential stealer. It gained access to the credentials used to access games. This allows it to steal items from games, some of which attract serious money on underground forums. In additional to games passwords, Baldr is also capable of stealing any cached credentials in browsers including those for banking, credit cards, online shopping and work access.
In an interesting ‘no honour among thieves’ twist, it appears that the makers of the malware were themselves screwing over their customers. According to Chester Wisniewski, Principal Research Scientist, Sophos: “The makers installed a Remote Access Trojan (RAT) on the machines of those who purchased the tool from the forums. This allowed them to skim the details of those who purchase the Baldr toolkit. Not only did they have access to their customers machines, they also got a copy of any data that they, in turn, stole from the victims.”
Rapid evolution hid poor implementation
Baldr was first spotted in January 2019. Over the next few months, SophosLabs saw at least four revisions to the code. Those revisions added new features that made Baldr a serious threat. As features were added, the price of the malware went up although buyers were offered future proofing through free access to upgrades.
One of the interesting features was the breadth of browser support. Baldr attacked the major browsers as might be expected. It also, however, attacked a number of less well known browsers that are popular with certain communities. Among those spotted are Pale Moon and Brave. It also attacks FTP programmes such as FileZilla.
This rapid evolution and addition of new features masked some underlying problems. Baldr took advantage of a number of different vulnerabilities to infect machines. However, Wisniewski says that there is evidence they didn’t really know what they were doing. For example one vulnerability that they added only existed in Microsoft Office for a month. After that, any patching closed that loophole. There were a number of other outdated vulnerabilities in the code.
John Shier, Sr Security Advisor, Sophos said: “One of the problems with the code is that it appears to have been frankensteined from other pieces of malware.” This could explain the use of old and outdated vulnerabilities mixed in with some sophisticated features.
Criminals falling out
Bizarrely, the fate of Baldr is uncertain. Shier says there are reports that the developer and master distributor have argued and broken up. This means that there is currently no ongoing development or at least no public development. While it is not unusual for malware to ‘go quiet’ it isn’t often preceded by a public row.
This raises the question as to what happens with the code now. There is a lot of malware on the market where the owners have given up on the project and abandoned the code. They generally just dump the code for someone else to pick up and work with. Shier thinks this is what will happen with Baldr. The question is who will take it on or is this just a ploy by the developer while they look for another partner?
Enterprise Times: What does this mean
It would be all too easy to write this off as a gamer issue. However, the prevalence of Bring Your Own Device (BYOD) in enterprises makes this a threat. Even where someone hasn’t installed it on a computer they use for work, gamers take their mobiles into work so that they can play at lunchtime.
The saving grace here is that Baldr is not spread peer to peer. It only infects the gamers machine. But if that gamer is on a corporate network, the malware is quite capable of stealing enterprise credentials. IT departments should take note of the C&C server details in the SophosLabs advisory and make sure they are blacklisted.