The Baldr Malware is a computer virus which is designed against computer gamers who cheat at two popular games — Counter Strike: Global Offensive and Apex Legends. It is particularly powerful and the hacking group behind it appears to be fairy experienced as they have created it to cause a lot of damage to the infected hosts.
CS: GO and Apex Legends Gamers Targeted by The Baldr Malware
Since the beginning of this year computer criminals have been targeted by a dangerous virus called the Baldr malware. The identity of the hackers behind the latest few attack campaigns appear to be set against two of the most popular computer games — CS:GO (Counter Strike: Global Offensive) and Apex Legends. We know that it has been offered for sale by developers on the underground markets leading to the proposition that practically any hacking group could be using it for their own purposes.
By itself the versions which we know of constitute classic Trojan activity. The attacks so far are spread mainly through phishing tactics — the creation of archives and documents which are advertised as useful data. They are uploaded to popular online platforms and lure in the target users to open them. One of the first intrusion attempts have been on YouTube where the hackers post URL-shortened links to the malware files. Email phishing campaigns can also be utilised to lead to the Baldr malware infection. So far the countries which are reported to have significant activity are the following: the United States of America, Germany, India, Singapore and Brazil.
The Baldr malware is set to exhibit classic password stealing activity, it will search for browser sessions or stored account data attributed to common online services and gaming portals and communities. It appears that the primary aim of the hackers is to conduct identity theft — the malware is fully capable o searching for stored passwords to emails, social media services and online banking portals.
The data extraction module which is part of the threat has the ability to gather an extensive array of information formulated in two groups:
- Location Data — IP, Country Code, Country, State Name, City, Time zone, ZIP, ISP and Coordinates.
- Machine Information — Username, PC Name, UUID, HWID, OS Version, CPU Model, GPU Model, RAM information, MAC address, Screen Resolution, System Language, Layout Language, PC Boot Time, Drive List, Drive Model, Driver Serial Number, Disk Size, Disk Signature, Installed Programs List and Running Processes List.
A large number of applications data and system services will be searched for sensitive information. The list includes the following:
- Web Browsers — Yandex Browser, Zotero, Waterfox, Thunderbird, Opera, Supermedium, Songbird2, SeaMonkey, Scout, Pale Moon, Opera Neon, Mozilla, Firefox, Fast Web Browser, Edge Dev, Edge SxS, Dragon, Citrio, Chrome, Chrome Beta, Brave Browser, Torch and Vivaldi.
- FTP Clients
- Chat Programs — Pidgin, Psi, Psi+ and Jabber.
- VPN Clients
- Cryptocurrency Wallet Software — Bitcoin, Zcash, Litecoin, Monero, Bytecoin, ElectronCash, MultiDoge, DigiByte, Electrum, Bitcoin, Actinium, Exodus, Ethereum and Jaxx Liberty.
As a classic data-stealing Trojan it will also launch a series of system changes, one of the most notable ones being the security bypass function. It will protect itself from discovery by anti-virus programs and security solutions by installing itself in places where system data is placed and also hooking up to processes of both third-party applications and Windows services.
Baldr also allows the hackers to deploy other malware to the compromised hosts. Along with the extensive remote control functions the hackers can run specific modules and buy upcoming ones from the developers as well. We anticipate that future infections with it are very likely as the codebase is extensive and this Trojan can be used in all kinds of attack scenarios.