Warning to gamers: watch out for phony cheats

Malware creators have often delivered their payloads by tricking victims into grabbing too-good-to-be-true freebies. Now, this has been happening to gamers. And not just the gamers themselves. Innocent family members and other bystanders they happen to share their computers with are also impacted.

SophosLabs recently uncovered a new malware family, Baldr. Baldr gained its foothold by targeting gamers in many of the places where they hang out online. Gamers were lured in by online YouTube videos promising them cheats for some top online first-person shooter games. This included incredibly popular games like Fortnite, Apex Legend, and Counter-Strike. Download links were also distributed in gaming channels on both Discord and Telegram.

Something for nothing – but not quite

In some cases, Baldr malware was embedded directly into pirated versions of games. Again, this took advantage of people already willing to get something illegitimate for nothing. Baldr also found its way into installers for cryptocurrency mining software that was otherwise perfectly legit.

If the cheats Baldr promised were real, players who installed them could’ve grabbed an unfair advantage against their online competitors. But the cheats weren’t real – and the malware sure was. Once installed on the victims’ computers, it quickly captured their data. Developers could put up for sale on the dark web, helping other cybercriminals to steal the computer users’ identities.

Hit-and-run malware

When it came to stealing data, Baldr was a fast and thorough hit-and-run artist. In just 30 seconds or less, it would scoop up:

• Everything it could find about the user’s location, hardware, operating system software, network, and installed programs
• Saved credentials and browsing history from each of 20-plus browsers a user might have installed
• The full contents of browser web caches. This includes browsing history, cookies, domains visited, and any saved credit card or autocomplete information it might find
• Credentials from a user’s FTP logins to upload or download files. Some of these are protected by shockingly weak security, and might offer a pathway to capturing other user passwords
• Plain-text credentials from instant messaging clients like Jabber
• Configuration files for popular VPN services such as ProtonVPN and NordVPN
• Wallets associated with bitcoin, Zcash, Litecoin, Bytecoin, Monero, Ethereum, and many other cryptocurrencies
• Files associated with usage of the Telegram messaging and voice app
• Screen shots showing exactly what the user was working on

It would bundle all that stuff into one encrypted file. This file is then uploaded to the criminal’s command and control server. It could be parsed and organized for sale to other bad guys on the dark web.

An evolving threat

During the first half of 2019, Baldr evolved through four major revisions. Each was offered for purchase to other cybercriminals who could use it for their own nefarious purposes. In June 2019, apparently due to a conflict between its developer and leading distributor, it suddenly became unavailable for purchase. By then, a posting on a dark web message board claimed, 200-plus criminals had bought a license to use it. Many of them apparently did. We found evidence of Baldr infections in 11 countries.

Even though Baldr has disappeared from dark web stores, the old versions have continued to work. We suspect it’ll be back, quite possibly with a new name.

Baldr hasn’t become ubiquitous, and Sophos Home Premium advanced anti-malware software can recognize it and root it out. But it offers a loud warning to gamers (and whoever shares a computer with them). Be careful where you go and what you download, and if it sounds too good to be true, it probably is.